A new report from PwC UK and BAE Systems details a sophisticated cyber espionage campaign by a well-known China-linked group, which gains access to customer data and intellectual property by infiltrating MSPs.

Aldrin Brown, Editor-in-Chief

April 7, 2017

2 Min Read
Global Hacking Operation is Targeting MSPs Stealing Customer Data

A sophisticated global hacking operation emanating from China has compromised managed service provider (MSP) networks and is targeting additional MSPs in an effort to steal sensitive data and intellectual property from enterprise customers.

That’s the conclusion of a new joint report from PwC UK and BAE Systems, which details an intricate cyber espionage campaign by a well-known threat actor known as APT10.

So-called “Operation Cloud Hopper” has been in effect since at least last year, and has intensified during 2017, the researchers said.

“APT10 has vastly increased the scale and scope of its targeting to include multiple sectors, which has likely been facilitated by its compromise of MSPs,” the report states. “Such providers are responsible for the remote management of customer IT and end-user systems, thus they generally have unfettered and direct access to their clients’ networks.

“They may also store significant quantities of customer data on their own internal infrastructure.”

Evidence suggests that the hackers are working during business hours in China and even taking lunchtime pauses in activity, according to the report, which was made public in recent days.

The APT10 group is known for cyber espionage and the researchers suspect the criminals view MSPs and cloud service providers as high-payoff targets.

“Given the level of client network access MSPs have, once APT10 has gained access to (an) MSP, it is likely to be relatively straightforward to exploit this and move laterally onto the networks of potentially thousands of other victims,” the security experts wrote.

“This, in turn, would provide access to a larger amount of intellectual property and sensitive data,” the report goes on. “APT10 has been observed to exfiltrate stolen intellectual property via the MSPs, hence evading local network (defenses).”

MSPs are initially infiltrated through well-researched phishing campaigns.

“Through our investigations, we have identified multiple victims who have been infiltrated by the threat actor,” the researchers wrote. “Several of these provide enterprise services or cloud hosting, supporting our assessment that APT10 are almost certainly targeting MSPs.

“We believe that the observed targeting of MSPs is part of a widescale supply-chain attack.”

Click here to view the full report.


Send tips and news to [email protected].

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like