The Australian Cyber Security Centre has issued a warning to Australian enterprises that they may be exposed to security threats through their relationships with managed service providers.
The ACSC today warned of a “sustained malicious cyber campaign targeting major international Managed Service Providers” associated with the group designated APT10 — also known as CVNX, Red Apollo, Stone Panda, menuPass Team, and POTASSIUM. APT10 was first identified in 2013.
BAE Systems and PwC have released new research on the APT 10 ‘Operation Cloud Hopper’ campaign, which PwC described as “one of the largest ever sustained global cyber espionage campaigns”.
“The espionage campaign has targeted managed IT service providers (MSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally,” PwC warned.
“This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organisation might be exposed to, either directly or through your supply chain.”
“APT10’s malware toolbox shows a clear evolution from malware commonly associated with China-based threat actors towards bespoke in-house malware that has been used in more recent campaigns; this is indicative of APT10’s increasing sophistication, which is highly likely to continue,” the report released by PwC and BAE Systems stated.
“This attack is a clear example of the need for supply chain risk management which sits jointly across procurement, legal, and the security functions of an organisation,” said Michael Shepherd, regional managing director, Australia & NZ, International Services & Solutions at BAE Systems Applied Intelligence.
“This risk management needs to work two ways to be effective, and we encourage procurement teams to have open communication with their suppliers in order to continuously improve security.”
APT10’s known working hours align to Chinese Standard Time (CST) and its targeting corresponds to that of other known China-based threat actors, the report states.
Some of the MSPs targetted by APT 10 operate in Australia, the ACSC said.
“The Australian Cyber Security Centre has provided information to government agencies and CERT Australia’s industry partners to be able to recognise the malicious activity and take steps to mitigate it,” the organisation said.