Who was behind this unprecedented Cyber attack on Western infrastructure?

Who was behind this unprecedented Cyber attack on Western infrastructure?

In late 2016, Cyber threat analysts in PwC and BAE Systems began assisting victims of a new global cyber espionage campaign. They named the campaign Operation Cloud Hopper.

Cloud Hopper turned out to be an attack of unprecedented scale that targeted companies known as “managed IT service providers”, or MSPs. Because MSPs manage the IT systems of hundreds of clients, the technique used by the Cloud Hopper attackers was highly effective – they gained access not only to the sensitive data of the MSPs themselves, but also to their clients globally.

By attacking a handful of companies, the Cloud Hopper actors gained access to potentially thousands of networks.

The Cloud Hopper analysis by PwC and BAE Systems

APT10 was behind Cloud Hopper

PwC and BAE assessed that Operation Cloud Hopper was almost certainly managed by the threat actor known within the Information Security community as “APT10”. This assessment was based on the group’s highly interconnected network of infrastructure, which had connections with APT10’s previous operations. The Palo Alto Networks report menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations shows that a series of old APT10 command and control (C2) domains (including cmdnetview[.]com) associated with servers that were later used by the Cloud Hopper group.

The Cloud Hopper report released by PwC and BAE assessed that APT10 had significantly increased its scale and capability since early 2016 and was focused on espionage activity by targeting intellectual property and other sensitive data.

It was also assessed at the time that APT10 was highly likely to be a China-based threat actor, based on a series of clues including the compile times of binaries, registration times of domains, activity indicating a pattern of work in line with China Standard Time and a mix of diplomatic and political targets being closely aligned with China’s strategic interests.

Cloud Hopper analysis showing activity during working day in UTC+8 timezone

So what?

Analysts working with this blog have spent the last year investigating the most damaging attacks to hit Western companies, starting with APT10.

We have identified a number of individuals behind the attack and the companies with which they have been associated.

We plan to tell the story – check back for more over the next month…


The destruction of APT3

The destruction of APT3

Twelve months have passed since this blog exposed Wu Yingzhuo, Dong Hao, their company ‘Boyusec’ and the Chinese Ministry of State Security (MSS) as being behind APT3. APT3 was, at the time, one of the most damaging APT attacks to hit Western companies. One year on, we take a look back at what happened after our publication.

Continue reading “The destruction of APT3”

APT3 is Boyusec, a Chinese Intelligence Contractor

APT3 is Boyusec, a Chinese Intelligence Contractor

In our last three posts we introduced you to APT3 and identified two individuals responsible for purchasing their domain names – Wu Yingzhuo and Dong Hao. An IP addresses in Guangdong, China was associated with some of the domains.

Both individuals have a long history of purchasing APT3 infrastructure. Who do they work for and where do their orders come from?

Continue reading “APT3 is Boyusec, a Chinese Intelligence Contractor”

Who is Mr Dong?

Who is Mr Dong?

In our last post we showed how, through WHOIS data, it is possible to identify Wu Yingzhuo, an APT3 operator who registered domain names for the group and advertised online offering help with Trojan development.

The story finished with http[.]net, a domain name that we showed was connected to APT3, and that was registered to Yingzhuo Wu. In this post we will show how the trail continues and allows us to identify a second APT3 member, Mr Dong.

Continue reading “Who is Mr Dong?”

Who is behind this Chinese espionage group stealing our intellectual property?

Who is behind this Chinese espionage group stealing our intellectual property?

APT3 – also known as Gothic Panda, Buckeye, UPS Team and TG-0110 – was first reported in 2010 by FireEye in their report Hupigon Joins The Party. It is blamed for using a Remote Access Trojan named Pirpi in attacks against the US and UK. The Trojan is usually delivered through malicious attachments or links in spear-phishing e-mails and the group have a history of innovating new browser-based zero-day exploits. FireEye claim that it is one of the most sophisticated threat groups tracked by their Threat Intelligence arm.

Continue reading “Who is behind this Chinese espionage group stealing our intellectual property?”

Coming Soon…

Coming Soon…

In the month that APT10 rocked the world, we believe it is finally time to get to the truth behind “Advanced Persistent Threats” – large-scale Cyber attacks stealing intellectual property from Western companies.

APT10 targets Managed Service Provider (MSP) networks

We are busy investigating the largest APTs and will soon reveal the truth behind some of these intrusions. Meanwhile, you can read about APT10’s recent activity in PwC’s report, and their historical tools and techniques in FireEye’s report.

Continue reading “Coming Soon…”