A cool head is the best response to APT10
The source of the story is Cloud Hopper, the APT campaign developed by PwC with BAE Systems, and it certainly sounds scary. According to Cloud Hopper, APT10 targets managed service providers to gain access their clients’ intellectual property and other confidential data, and have observed the evolution of APT10 to encompass new, more sophisticated bespoke malware tools, alongside traditional methods of access such as phishing and social engineering.
The idea that MSPs, businesses’ trusted IT partners, are now a vulnerable vector for state-sponsored cyber espionage, will naturally cause alarm among many businesses and will likely lead to panicked enquiries to their service providers to demand what steps they are taking to protect against this terrifying new threat.
Before we give way to fear, let us temper the mood of panic with a little sobriety. First off, the assertion by some media outlets that a new, shadowy army of Chinese hackers is directly targeting UK businesses seems a little hysterical. While British businesses have fallen victim, there is nothing to suggest that APT10 is a specifically UK-focused threat.
What’s more, we should not give the attackers too much credit for their sophistication. On a technical level we see nothing in the tools and techniques deployed by “APT10” that’s any different from other modern hacking campaign, and certainly nothing that should cause us to change our Assess, Protect, Detect, Respond framework. Yes, the threat continues to evolve – for example, moving from reliance on Poison Ivy and PlugX malware to a range of open-source tools – but so does any threat in today’s security landscape.
As for its origin (Cloud Hopper states that there is a 76 – 90 per cent chance that APT10 comes from China), this is not particularly relevant to the huge majority of businesses. That the threat comes from China is only really of academic interest, and while it certainly fits the traditional media narrative, we can’t be completely sure. After all, the famous Sony hack in 2014, previously attributed to North Korea, is now thought to have been a cover operation by Russia-based attackers.
What is of interest, however, is the targeting of MSPs. This certainly marks a change of tactics by the attackers, and it’s this new approach that may lead businesses to rush to their service providers to demand that they are taking the threat seriously, and have the right safeguards in place.
Of course, supply-chain security is an important discipline, as we’ve discussed in previous blogs about ransomware and other malware. It’s important to remember, however, that for the majority of UK businesses a direct attack on their people or systems would be a much cleaner, easier and more targeted method of infiltrating their systems.
SecureData is fully aware of its own role as an MSP and the possibility that we could be targeted as a vector for attacking our clients. We regulate ourselves to highest standards with regards to cybersecurity risk but have also specifically initiated a program to assess our own systems for any vulnerability or sign of compromise by this group.
Please contact your account manager or email [email protected] if you have any further questions.