Operation Cloud Hopper – APT10 goes after Managed Service Providers

Security experts uncovered a widespread campaign tracked as Operation Cloud Hopper known to be targeting managed service providers (MSPs) worldwide. Chinese APT10 group is the main suspect.

Security experts from PwC UK and BAE Systems have uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide. The experts attributed the operation to the Chinese APT group known as APT10.

The expert gathered evidence that suggests the involvement of the APT10 group and domain registration timing indicates operation was conducted with a China’s time zone.

The attackers used same malware exploited in other attacks attributed to APT10, the Poison Ivy RAT and PlugX malware are the most popular malicious codes in the arsenal of the crew. Experts noticed the group from around mid-2016 started to use once again PlugX, ChChes, Quasar and RedLeaves.

“APT10 has significantly increased its scale and capability since early 2016, including the addition of new custom tools. APT10 ceased its use of the Poison Ivy malware family after a 2013 FireEye report, which comprehensively detailed the malware’s functionality and features, and its use by several China-based threat actors, including APT10.” reads the report published by the security firms. “APT10 primarily used PlugX malware from 2014 to 2016, progressively improving and deploying newer versions, while simultaneously standardizing their command and control function.”

The Operation Cloud Hopper campaign leveraged on well-researched spear-phishing messages aimed to compromise MSPs.

The hackers used this tactic to obtain legitimate credentials to access the client networks of MPSs and exfiltrate sensitive data.

The attackers aimed to compromise the supply chain to steal intellectual property from the victims.

“Other threat actors have previously been observed using a similar method of a supply chain attack, for example, in the compromise of Dutch certificate authority DigiNotar in 2016 and the compromise of US retailer Target in 2013″ continues the report. “We believe that the observed targeting of MSPs is part of a widescale supply-chain attack.”

The Operation Cloud Hopper demonstrates that the APT10 focuses on cyber espionage activity, targeting intellectual property.  The author of the report confirmed the APT10 has exfiltrated a high volume of data from multiple victims, exploiting compromised MSP networks.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Operation Cloud Hopper, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]