APT10 – 5-Years-Plan for hacking
Worldwide attack on managed security services providers
In their multi-page report “Operation Cloudhopper” PwC and BAE Systems describe the globally distributed attack of team “APT10” targetting Managed Service Providers (MSP) and their customers. A number of Japanese organizations were directly targeted. In 2014 MSP networks became the target of the possibly politically orchestrated attack, by means of penetrating defences by skillful use of malware in the networks of the victims service provider. In the process, the attackers used the shared IT infrastructure between MSP and clients, i.e. those transition points where the MSP is connected to the network of its customers.
Poison Ivy, PlugX, Better C & C Server & Spear Phishing
The attack became even more elaborated in 2016, both in the form of further development of the malware used, such as Poison Ivy and PlugX, as well as through specific adaptations and extension of the Command and Control Servers involved in the attacks. The command & control server infrastructure was primarily controlled by the use of Dynamic DNS networks, which the group has apparently been using in prior scenarios. The initial attack vector were, once again, targeted spear phishing attacks – the classic way of an APT (Advanced Persistent Threat) attack model for infiltration.
APT10 preys on focus industries
A further special feature is the exfiltration of the data of the targeted target systems: in this case, as in the case of the infiltration, the MSP was chosen to extract the captured information. The issue gets a delicate sweet-and-sour note, as the affected industrial sectors of the APT10 attacks and the focus of the five-year plan for innovation of the People’s Republic of China are a perfect match: Aerospace, energy supply, new materials, medical technology, robotics and next generation IT.
Once again this report shows clearly how important the security maturity level of their organization is to companies. It also highlights the importance of an in-depth inspection of the service provider for managed services, when trying to avoid becoming the victim of critical data theft. It is advisable to get expert support for the design and implementation of secure connections to service providers and suppliers.