Since late 2016 we’ve been working with the National Cyber Security Centre and other security organisations to help victims of a major global cyber espionage campaign, conducted by a China-based threat actor most widely known in the security community as APT10.
APT10 has a focus on espionage and wide-ranging information collection. It’s been in operation since at least 2009, and has evolved its initial focus from the US defence industrial base and the technology and telecommunications sector to widespread compromises of multiple industries and sectors across the globe, most recently with a focus on managed IT service providers (MSPs).
By targeting MSPs, this campaign - known as Operation Cloud Hopper - has given APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs - as well as their clients - globally. A number of Japanese organisations have also been directly targeted in a separate, simultaneous campaign by the same actor.
"The future of cyber defence lies beyond simple intelligence sharing, but in forging true collaboration between organisations in the public and private sector with the deep technical and innovative skills required to combat this type of threat."
PwC and BAEs' Threat Intelligence teams have been tracking and researching APT10 on an ongoing basis, and PwC’s Incident Response team has been supporting multiple investigations linked to APT10 compromises.
This collaborative research - and the report we jointly published with BAE Systems - has highlighted that the threat actor almost certainly benefits from significant staffing and logistical resources, which have increased over the last three years, with a significant step-change in 2016. In the context of its operations throughout 2016 and 2017, we believe it’s made up of multiple teams, each responsible for a different section of the day-to-day operations - domain registration; infrastructure management; malware development; target operations; and analysis.
As part of our research, we’ve made a number of observations about APT10 and its profile, which supports our belief that APT10 is a China-based threat actor. For example, we’ve identified patterns within the domain registrations and file compilation times associated with APT10 activity. And we’ve seen that APT10 has been systematically targeting Japanese organisations using bespoke malware referred to in the public domain as ‘ChChes’.
“The indirect approach of this attack highlights the need for organisations to have a comprehensive view of their threat landscape, which includes their supply chain, and focus on improving their ability to hunt for this type of activity."
Espionage attacks associated with China-based threat actors have traditionally targeted organisations that are of strategic value to Chinese businesses and where intellectual property obtained from such attacks could facilitate domestic growth or advancement.
Operation Cloud Hopper highlights the importance of organisations having a comprehensive view of their own threat profile, as well as that of their supply chain. It should also encourage organisations to fully assess the risk posed by their third party relationships, and prompt them to take appropriate steps to assure and manage these.
By working closely with other organisations, PwC was able to brief the global security community, MSPs and known victims to help prevent, detect and respond to these attacks. Throughout our research, we shared our findings, detailed technical analysis and indicators of compromise, with the National Cyber Security Centre for inclusion in their remit of protecting the UK. This provides further information about the tools and techniques used by APT10 and this threat actor’s known campaigns.