Who was behind this unprecedented Cyber attack on Western infrastructure?

Who was behind this unprecedented Cyber attack on Western infrastructure?

In late 2016, Cyber threat analysts in PwC and BAE Systems began assisting victims of a new global cyber espionage campaign. They named the campaign Operation Cloud Hopper.

Cloud Hopper turned out to be an attack of unprecedented scale that targeted companies known as “managed IT service providers”, or MSPs. Because MSPs manage the IT systems of hundreds of clients, the technique used by the Cloud Hopper attackers was highly effective – they gained access not only to the sensitive data of the MSPs themselves, but also to their clients globally.

By attacking a handful of companies, the Cloud Hopper actors gained access to potentially thousands of networks.

cloud-hopper-report
The Cloud Hopper analysis by PwC and BAE Systems

APT10 was behind Cloud Hopper

PwC and BAE assessed that Operation Cloud Hopper was almost certainly managed by the threat actor known within the Information Security community as “APT10”. This assessment was based on the group’s highly interconnected network of infrastructure, which had connections with APT10’s previous operations. The Palo Alto Networks report menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations shows that a series of old APT10 command and control (C2) domains (including cmdnetview[.]com) associated with servers that were later used by the Cloud Hopper group.

The Cloud Hopper report released by PwC and BAE assessed that APT10 had significantly increased its scale and capability since early 2016 and was focused on espionage activity by targeting intellectual property and other sensitive data.

It was also assessed at the time that APT10 was highly likely to be a China-based threat actor, based on a series of clues including the compile times of binaries, registration times of domains, activity indicating a pattern of work in line with China Standard Time and a mix of diplomatic and political targets being closely aligned with China’s strategic interests.

cloud-hopper-utc8-timings
Cloud Hopper analysis showing activity during working day in UTC+8 timezone

So what?

Analysts working with this blog have spent the last year investigating the most damaging attacks to hit Western companies, starting with APT10.

We have identified a number of individuals behind the attack and the companies with which they have been associated.

We plan to tell the story – check back for more over the next month…

Advertisements

Coming Soon…

Coming Soon…

In the month that APT10 rocked the world, we believe it is finally time to get to the truth behind “Advanced Persistent Threats” – large-scale Cyber attacks stealing intellectual property from Western companies.

apt10
APT10 targets Managed Service Provider (MSP) networks

We are busy investigating the largest APTs and will soon reveal the truth behind some of these intrusions. Meanwhile, you can read about APT10’s recent activity in PwC’s report, and their historical tools and techniques in FireEye’s report.

Continue reading “Coming Soon…”