Scope of MUDCARP Attacks Highlight Third-Party Risk

Written by

Several universities in the US and Canada have reportedly been the target of nation-state attacks coming from a threat group identified as MUDCARP, believed to be linked to China. According to a report from The Wall Street Journal (WSJ), all of the institutions and universities involved in the attack had links to Cape Cod’s Woods Hole Oceanographic Institute (WHOI).

The report is based on the research findings of iDefense, a cybersecurity intelligence unit of Accenture Security. While the names of the victim organizations are not revealed in the report, they were shared privately with WSJ. What’s more important about the nearly two decades of research exposed in the report is that third parties and supply chains pose extensive threats from foreign adversaries.

“Organizations need to understand that espionage actors will seek to exploit any organization within a target’s supply chain to fulfill its strategic collection requirements,” the report said. While no organization wants its name to be associated with cyber-attacks from foreign adversaries, since it identified a data breach in 2015, WHOI said that it has made extensive efforts to establish “an exceptionally robust, multi-tier network security system, designed, implemented, and tested in consultation with FireEye, one of the nation’s leading cybersecurity firms,” a company spokesperson wrote.

“The Institution also maintains a program of network monitoring and security training, complementing state-of-the-art hardware and software systems for threat detection, prevention, and elimination. The Institution is in regular contact with federal agencies, including the Department of Homeland Security and law enforcement agencies, regarding cyber security matters.”

In an interview with WBUR, Howard Marshall, intelligence director for cyber-threat intelligence services at Accenture, said that these types of attacks are nothing new, though the scope is significant. While WHOI might be the common link in this case, it’s more important to look at the bigger picture of the risks from third parties and supply chains, particularly in the federal government.

“There’s a lot of specialized information that’s created out there, so it’s research initiatives, it’s data. It’s stuff that – in this case, maybe it’s WHOI – but it's stuff that any of these other supply chains could be doing that may be focused on their particular niche research project but may inform a broader department of defense (DoD) effort,” Marshall said.

The report also found that “it is likely that MUDCARP actors have targeted several cleared defense contractors, universities (both domestic and foreign), and oceanographic institutes. MUDCARP and other cyber-espionage threat groups will continue to target companies, think tanks and universities who are in the DoD supply chain as a means of stealing intellectual property and exploiting those business relationships targeting DoD organizations.”

What’s hot on Infosecurity Magazine?