Uncovering a new sustained global cyber espionage campaign

Operation Cloud Hopper


PwC’s cyber security practice has worked closely with BAE Systems and other members of the security community, along with the UK’s National Cyber Security Centre (NCSC), to uncover and disrupt what is thought to be one of the largest ever sustained global cyber espionage campaigns in an operation referred to as ‘Operation Cloud Hopper’.

Since late 2016, PwC and BAE Systems have been collaborating to research the threat, brief the global security community and assist known victims. The threat actor behind the campaign is widely known within the security community as ‘APT10’, referred to within PwC UK as ‘Red Apollo’.

The espionage campaign has targeted managed IT service providers (MSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organisation might be exposed to, either directly or through your supply chain.

The sheer scale of the operation was uncovered through collaboration amongst organisations in the public and private sectors, but is still only likely to reflect a small portion of APT10’s global operations. A number of Japanese organisations have also been targeted in a separate, simultaneous campaign by the same group, with APT10 masquerading as legitimate Japanese government entities to gain access.

More detail on the operation is included in our joint report with BAE Systems, available to download below.  You can also download separate documents outlining the key indicators of compromise to check for and technical details relating to APT10.

For any questions on the operation or APT10 please contact our Threat Intelligence team, or for advice on protecting your organisation please contact Threat Detection and Response on the details below.

 

MD5 Hashes
Main Report:  20f0dde824193a7367b9fd36ff998908
Annex A: Indicators of Compromise: 3c995e5387c95bcebcf48ec3a852beef
Annex B: 36cb01a7c598ed2048a0eed95c14d5da

Contact us

Cyber Threat Detection and Response

Email

Cyber Threat Intelligence

Email

Follow us