Global Hacking Operation is Targeting MSPs, Stealing Customer Data

A sophisticated global hacking operation emanating from China has compromised managed service provider (MSP) networks and is targeting additional MSPs in an effort to steal sensitive data and intellectual property from enterprise customers.

That’s the conclusion of a new joint report from PwC UK and BAE Systems, which details an intricate cyber espionage campaign by a well-known threat actor known as APT10.

So-called “Operation Cloud Hopper” has been in effect since at least last year, and has intensified during 2017, the researchers said.

“APT10 has vastly increased the scale and scope of its targeting to include multiple sectors, which has likely been facilitated by its compromise of MSPs,” the report states. “Such providers are responsible for the remote management of customer IT and end-user systems, thus they generally have unfettered and direct access to their clients’ networks.

“They may also store significant quantities of customer data on their own internal infrastructure.”

Evidence suggests that the hackers are working during business hours in China and even taking lunchtime pauses in activity, according to the report, which was made public in recent days.

The APT10 group is known for cyber espionage and the researchers suspect the criminals view MSPs and cloud service providers as high-payoff targets.

“Given the level of client network access MSPs have, once APT10 has gained access to (an) MSP, it is likely to be relatively straightforward to exploit this and move laterally onto the networks of potentially thousands of other victims,” the security experts wrote.

“This, in turn, would provide access to a larger amount of intellectual property and sensitive data,” the report goes on. “APT10 has been observed to exfiltrate stolen intellectual property via the MSPs, hence evading local network (defenses).”

MSPs are initially infiltrated through well-researched phishing campaigns.

“Through our investigations, we have identified multiple victims who have been infiltrated by the threat actor,” the researchers wrote. “Several of these provide enterprise services or cloud hosting, supporting our assessment that APT10 are almost certainly targeting MSPs.

“We believe that the observed targeting of MSPs is part of a widescale supply-chain attack.”

Click here to view the full report.

Send tips and news to [email protected].