Operation Cloud Hopper – APT10 goes after Managed Service Providers

Security experts uncovered a widespread campaign tracked as Operation Cloud Hopper known to be targeting managed service providers (MSPs) worldwide. Chinese APT10 group is the main suspect.

Security experts from PwC UK and BAE Systems have uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide. The experts attributed the operation to the Chinese APT group known as APT10.

The expert gathered evidence that suggests the involvement of the APT10 group and domain registration timing indicates operation was conducted with a China’s time zone.

The attackers used same malware exploited in other attacks attributed to APT10, the Poison Ivy RAT and PlugX malware are the most popular malicious codes in the arsenal of the crew. Experts noticed the group from around mid-2016 started to use once again PlugX, ChChes, Quasar and RedLeaves.

“APT10 has significantly increased its scale and capability since early 2016, including the addition of new custom tools. APT10 ceased its use of the Poison Ivy malware family after a 2013 FireEye report, which comprehensively detailed the malware’s functionality and features, and its use by several China-based threat actors, including APT10.” reads the report published by the security firms. “APT10 primarily used PlugX malware from 2014 to 2016, progressively improving and deploying newer versions, while simultaneously standardizing their command and control function.”

The Operation Cloud Hopper campaign leveraged on well-researched spear-phishing messages aimed to compromise MSPs.

The hackers used this tactic to obtain legitimate credentials to access the client networks of MPSs and exfiltrate sensitive data.

The attackers aimed to compromise the supply chain to steal intellectual property from the victims.

“Other threat actors have previously been observed using a similar method of a supply chain attack, for example, in the compromise of Dutch certificate authority DigiNotar in 2016 and the compromise of US retailer Target in 2013″ continues the report. “We believe that the observed targeting of MSPs is part of a widescale supply-chain attack.”

The Operation Cloud Hopper demonstrates that the APT10 focuses on cyber espionage activity, targeting intellectual property. The author of the report confirmed the APT10 has exfiltrated a high volume of data from multiple victims, exploiting compromised MSP networks.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Operation Cloud Hopper, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.