China-based hacking crew pokes holes in UK firms and drains data
Cyber-spies target intellectual property and trade secrets
UK companies are being targeted by a China-based global hacking group dubbed APT10.
The Operation Cloud Hopper campaign focuses on managed service providers (MSPs) which, when successful, gives the APT10 hackers access to their intellectual property, sensitive data, and global clients. A number of Japanese organisations have also been targeted by the same crew, according to a joint report by PwC and BAE Systems.
APT10 has significantly increased its scale and capability since early 2016, including the addition of new custom tools. The switch from using the Poison Ivy and PlugX malware to bespoke malware as well as open-source tools shows increased sophistication. The group still uses phishing and other social engineering techniques to push its wares.
The group focuses on espionage activity, targeting intellectual property and other sensitive data, PwC reports.
"APT10 is known to have exfiltrated a high volume of data from multiple victims, exploiting compromised MSP networks, and those of their customers, to stealthily move this data around the world," the researchers warn.
PwC UK and BAE Systems rate it "highly likely" that APT10 is a China-based threat actor. The group has been active since 2009, and has already been profiled by other security researchers at FireEye and CrowdStrike among others.
Targeting service providers in order to get at their clients represents a shift in tactics by cyber-spies that might be compelled to go after university research departments in an attempt to get at defence contractors or hacking the systems of lawyers and accountants of other intel targets.
Donato Capitella, senior security consultant at MWR InfoSecurity, commented: "In the past decade we have observed major, critical organisations raise their cyber defence profile, by allocating larger budgets into their prevention, detection and response capabilities. This naturally led to crime displacement or relocation, meaning that attackers have shifted their attention to the smaller third parties that supply services to these organisations."
Matt Walmsley, EMEA director at cybersecurity company Vectra Networks, added: "These criminals continue to play a long game, prepared to wait months – even years – to harvest valuable data without being noticed. Malicious code or indeed a live connection to a bad actor can sit, unnoticed like a leech, harvesting useful data slowly and consistently." ®