How APT10 Hacker Group Attacked MSP, Pursued Bigger Scores
Last October, the U.S. Department of Homeland Security (DHS) warned in a technical alert that hackers are attacking MSSPs, MSP and CSPs as the weak link in a supply chain to get to their customers. In strongly advising service providers to lock down their systems and data, the DHS issued a set of best practices specifically for service providers.
Now we get word that Chinese-sponsored hacker APT10 last year attacked Visma, a large Norwegian managed service provider (MSP), and two other companies in a scheme to launch thousands of secondary assaults on businesses worldwide, a new report said. Analysts with Recorded Future’s Insikt Group and cloud security provider Rapid7 believe the notorious threat actor APT10 wasn’t interested in Visma’s intellectual property in the break in. Instead the bad actors wanted to parasite Visma’s network into far bigger scores. Insikt and Rapid7 tracked APT10’s movements between between November 2017 and September 2018.
The attack on Visma may be part of a larger scheme dubbed “Operation Cloud Hopper,” run by the Chinese Chinese intelligence agency, the Ministry of State Security [MSS], aimed specifically at MSPs, the companies said in a blog post.
The watch words: Expect these style attacks to hit worldwide, with the U.S. a big, juicy target.
APT10’s targets included:
- Visma, a billion-dollar Norwegian MSP, with some 850,000 customers globally.
- An international apparel company.
- A U.S. law firm with strong experience in intellectual property law with clients in the pharmaceutical, technology, electronics, biomedical, and automotive sectors, among others.
In each attack, the hackers infiltrated the victim’s’ network through Citrix and LogMeIn remote access software using hijacked user credentials, possibly gained through compromising a third-party supply chain.
“Based on the technical data uncovered, and in light of recent disclosures by the U.S. Department of Justice on the ongoing activities of Chinese state-sponsored threat actors, we assess with high confidence that these incidents were conducted by APT10 (also known as Stone Panda, menuPass, CVNX) in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage,” the security researchers wrote.
What’s going on?
- For more than two years, the DHS’ National Cybersecurity and Communications Integration Center (NCCIC) has tracked hackers that are using advanced persistent threat (APT) tools aimed at breaking into the networks of both MSPs and CSPs and the infrastructure of their customers.
- The threat actors are exploiting trusted relationship between provider and customer, figuring that the provider commands delicate information that can get the bad actor inside the customer’s network.
- In December, 2018, two Chinese nationalists were charged with hacking into U.S.-based MSPs to hit end-customer networks worldwide. The victims included major MSP wings of IBM and HP Enterprise at the time.
- Two months earlier, the U.S. Department of Homeland Security warned MSPs and cloud services providers (CSPs) that cyber gangsters where targeting their systems and remote monitoring and management software to infiltrate end-customer networks.
- In early January, Data Resolution, an MSP, help desk provider and Microsoft partner in California, was nailed by a Ryuk ransomware attack.
Insikt and Rapid7 warned that APT10 is a major threat to large corporations worldwide. “We believe APT10 is the most significant Chinese state-sponsored cyber threat to global corporations known to date. On top of the breadth, volume, and targets of attacks that APT10 has conducted since at least 2016, we now know that these operations are being run by the [MSS],” said the analysts. APT10’s hackers operate under shell companies such as Huaying Haitai Science and Technology Development Co Ltd and under the direct supervision of their regional bureau in Tianjin, the blog said.
Insikt has positioned its report as most useful to internal IT security of companies that partner with MSPs and cloud hosting providers along with organizations that rely on third-party supply chains. Of its partnership with Rapid7 to tie APT10 to the Chinese government, Insikt said “industry collaboration is a vital enabler in illuminating threats and offering protection to organizations at risk from hostile, state-sponsored economic cyberespionage.”