UK security experts have warned of a major new China-based info-stealing campaign targeting multinational organizations via their managed IT service providers (MSPs).
PwC UK worked closely with UK defense firm BAE Systems and the new National Cyber Security Centre (NCSC) to uncover “Operation Cloud Hopper”, which they’re claiming to be “one of the largest ever sustained global cyber espionage campaigns.”
Such “stepping stone” attacks are not uncommon, but the scale of this campaign is noteworthy, with MSP infrastructure used as “part of a complex web of exfiltration routes spanning multiple victim networks.”
The group behind the attacks may have started operations as early as 2014, although it stepped up activity in 2016, adapting its tools and techniques all the time.
Poison Ivy and PlugX malware were both used in the past, but there has more recently been a move to bespoke malware and customized open source tools, which hint at growing sophistication, according to the report.
The group behind the attacks is thought to be APT10, a well-known Chinese threat group, with attribution based around the network of dynamic DNS domains used for its C&C infrastructure, which matches previous campaigns.
Other reasons why the researchers are pointing to China include the activity of the group matching China Standard Time (GMT+8), and the targeting of industries which would provide valuable info to advance Beijing’s ambitious “Made in China 2025” innovation goals.
“The threat actor’s targeting of diplomatic and political organizations in response to geopolitical tensions, as well as the targeting of specific commercial enterprises, is closely aligned with strategic Chinese interests,” the report claimed.
However, if questioned, the Chinese government will presumably be able to roll out the usual plausible deniability statements.
On another note, the research itself is an early boost for the NCSC, which helped coordinate the efforts of PwC and BAE Systems and prove the value of public-private sector collaboration.
“Whilst this was uncovered by teams based in the UK, the campaign itself was of a global nature, targeting MSPs and their customers based not only here but across lots of other countries,” a spokesperson told Infosecurity Magazine.
“We've been working with partners to brief others across the global security community and have also been helping organizations outside the UK who are known victims.”