Operation Cloud Hopper

What is Operation Cloud Hopper?

Since late 2016, we’ve worked closely with BAE Systems, the UK’s National Cyber Security Centre (NCSC) and other members of the security committee to uncover and disrupt what’s thought to be one of the largest ever sustained global cyber espionage campaigns. This operation is referred to as ‘Operation Cloud Hopper’.

Who’s responsible?

The threat actor behind the campaign is widely known within the cyber security community as ‘APT10’, referred to within PwC UK as ‘Red Apollo’. It’s a widely held view within the community that APT10 is a China-based threat actor.

Our analysis of the compile times of malware binaries, the registration times of domains attributed to APT10, and the majority of its intrusion activity indicates a pattern of work in line with China Standard Time (UTC+8).

The threat actor’s targeting of diplomatic and political organisations in response to geopolitical tensions, as well as the targeting of specific commercial enterprises, is closely aligned with strategic Chinese interests.

Who has it targeted?

The espionage campaign has targeted managed IT service providers (MSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage. So it’s more important than ever to have a comprehensive view of all the threats your organisation might be exposed to, either directly or through your supply chain.

The sheer scale of the operation was uncovered through collaboration amongst organisations in the public and private sectors, but is still only likely to reflect a small portion of APT10’s global operations. A number of Japanese organisations have also been targeted in a separate, simultaneous campaign by the same group, with APT10 masquerading as legitimate Japanese government entities to gain access.

How was it carried out?

APT10’s activity can be outlined in six steps:

  1. APT10 compromises a Managed IT Services provider.
  2. MSP customers who align to APT10’s targeting profile are accessed by the threat actor using the MSPs legitimate access.
  3. Data of interest to APT10 is accessed by the threat actor moving laterally through systems.
  4. MSP customer data is collected by APT and compressed, ready for exfiltration from the network.
  5. Compressed files filled with stolen data are moved from the MSP customer’s network back onto the MSP network.
  6. APT10 exfiltrates stolen data back through MSPs to infrastructure controlled by the threat actor.

What can be done to defend against it?

This campaign serves to highlight the importance of organisations having a comprehensive view of their threat profile, including that of their supply chain’s. More broadly, it should also encourage organisations to fully assess the risk posed by their third party relationships, and prompt them to take appropriate steps to assure and manage these.

More detail on the operation is included in our joint report with BAE Systems, available to download below. You can also download separate documents outlining the key indicators of compromise to check for and technical details relating to APT10.

For any questions on the operation or APT10 please contact our threat intelligence team, or for advice on protecting your organisation contact our threat detection and response team on the details below.

Contact us

Richard Horne

Richard Horne

Cyber Security Partner and Chairman, PwC United Kingdom

Kris  McConkey

Kris McConkey

Cyber Threat Operations Lead Partner, PwC United Kingdom

Tel: +44 (0)7725 707360

Follow us