Since late 2016, we’ve worked closely with BAE Systems, the UK’s National Cyber Security Centre (NCSC) and other members of the security committee to uncover and disrupt what’s thought to be one of the largest ever sustained global cyber espionage campaigns. This operation is referred to as ‘Operation Cloud Hopper’.
The threat actor behind the campaign is widely known within the cyber security community as ‘APT10’, referred to within PwC UK as ‘Red Apollo’. It’s a widely held view within the community that APT10 is a China-based threat actor.
Our analysis of the compile times of malware binaries, the registration times of domains attributed to APT10, and the majority of its intrusion activity indicates a pattern of work in line with China Standard Time (UTC+8).
The threat actor’s targeting of diplomatic and political organisations in response to geopolitical tensions, as well as the targeting of specific commercial enterprises, is closely aligned with strategic Chinese interests.
The espionage campaign has targeted managed IT service providers (MSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage. So it’s more important than ever to have a comprehensive view of all the threats your organisation might be exposed to, either directly or through your supply chain.
The sheer scale of the operation was uncovered through collaboration amongst organisations in the public and private sectors, but is still only likely to reflect a small portion of APT10’s global operations. A number of Japanese organisations have also been targeted in a separate, simultaneous campaign by the same group, with APT10 masquerading as legitimate Japanese government entities to gain access.
APT10’s activity can be outlined in six steps:
This campaign serves to highlight the importance of organisations having a comprehensive view of their threat profile, including that of their supply chain’s. More broadly, it should also encourage organisations to fully assess the risk posed by their third party relationships, and prompt them to take appropriate steps to assure and manage these.
More detail on the operation is included in our joint report with BAE Systems, available to download below. You can also download separate documents outlining the key indicators of compromise to check for and technical details relating to APT10.
For any questions on the operation or APT10 please contact our threat intelligence team, or for advice on protecting your organisation contact our threat detection and response team on the details below.
Cyber Threat Operations Lead Partner, PwC United Kingdom
Tel: +44 (0)7725 707360