A number of managed services providers (MSPs) and their customers have become victims of a global, cyber espionage attack carried out by a China-based threat actor known as APT10.
The reports indicate that the cyber espionage cyberattack is sophisticated with a persistent campaign dating back to 2014. The public reports of the cyber espionage campaigns dovetailed with Chinese President Xi Jinping's first official visit to the U.S. to meet with President Trump. The Chinese threat actor, APT10, is also known as 'Stone Panda' in the cyber community, according to sources close to HMG Strategy.
PwC and BAE Systems have each issued warnings about a "systematic and widespread" APT10 campaign dubbed "Cloud Hopper" to steal data from an unknown number of MSPs, according to Dark Reading. Numerous MSPs have been attacked since late 2016 and their infrastructures have been used by APT10 to gain access to their clients' networks. Once inside, APT10 has extracted intellectual property and other sensitive data from client networks in the private sector and government sector.
Thus far, APT10 is suspected of orchestrating cyber espionage attacks against MSPs in 15 countries, including the U.S., U.K., Canada, Finland, Norway, Sweden, France, Switzerland, Japan, Thailand, and Brazil. A report issued by the National Cyber Security Centre, the lead organization in the investigation, along with BAE Systems and PwC, points to APT10 as the source of the attacks based on the pattern of the attacks. It's likely that APT10 had begun conducting these attacks as early as 2014. The perpetrators are said to be using traditional phishing methods for the initial penetration into MSPs and sophisticated malware combined with other techniques such as URL impersonations to move laterally and into MSP clients.
The heightened complexity of attacks against corporate and government networks demonstrates the critical need for Chief Information Security Officers and other decision-makers to develop proactive strategies to reclaim cyber dominance in the information security community.
Israel Martinez, Chairman, Global Manufacturing ISAO & CEO, Axon Global who has been involved in several strategic U.S. and international initiatives including supporting President Trump's 100-day team in cyber strategy and innovation, recommends an immediate four-step plan for stabilizing cyber security and makes it extremely difficult for bad actors to infiltrate.
  1. Defend your credentials. With multi-factor authentication, users are granted access to systems only after they've provided several pieces of evidence to authenticate who they are. This can include knowledge (something they know), possession (something they have, such as a security token) and inherence (something unique about them, such as their fingerprint or voice recognition). "It's the fastest way to protect your passwords and the best way to turn away the bad guys," said Martinez.
  2. Protect your data. The security perimeter is no longer the line of defense. Encrypt data at rest and in-transit. Bad actors consistently find new ways to breach network perimeters. Ultimately, it's organizational data they're after (including sensitive customer data, intellectual property, Social Security numbers, valid credentials, etc.). Organizations must be vigilant about encrypting data, including data that's being transferred from point to point, said Martinez.
  3. Conduct DNS-level log monitoring. Security at the DNS root level isn't usually visible to the organization so it's critical. Cyber criminals are now attacking at application and OSI levels that are not visible to normal log inspection because it offers them greater flexibility and control. Tracking root level DNS anomalies and responding quickly to suspicious activities can stop attackers in their tracks. "Think of it like checking for plumbing leaks underneath the house versus at the faucet," said Martinez. "Often we're busy replacing faucet-filters while the bad actors are damaging plumbing infrastructure under the building."
  4. Manage supply chain risk. Monitor and address supply-chain vulnerabilities. CISOs and cyber teams also must be vigilant about monitoring and proactively addressing any back-door infections that business partners can expose the enterprise to. Find and leverage providers that are focused on what bad actors are communicating or exploiting today. This helps you respond earlier in the "kill chain". It also requires new partners that have an "outside-in" capability and perspective that is legal and powerful.
We will soon see new policy, law, executive orders and intent that will enable private sector approaches and capabilities not previously available. Martinez also recommends continually evaluating emerging technology developments that can further enable the enterprise to maintain cyber dominance. Cybersecurity is no longer monolithic, the discussion must now encompass Strategy, Innovation and business empowerment simultaneously. For instance, blockchain, a digital, distributed ledger system in which identical copies of transactions are controlled by multiple participants, offers enterprises opportunities to block identity thefts, thwart data tampering, and prevent denial of service attacks.

Meanwhile, artificial intelligence (AI) and machine learning both offer the ability to identify and respond to threats quickly in automated self-defending networks.

Keeping pace with forward-looking cyber strategies can help companies stay ahead of APT10-style cyber espionage and other types of advanced threats. "You can never be 100% insulated but these steps can get you into the 98th percentile, compared to your neighbor's defense," said Martinez. "These four steps, implemented correctly and simultaneously, will allow you to begin punching your own weight."
Interested in learning more about APT10 and best practices in cyber security? Join us at our upcoming 2017 NY CISO Executive Leadership Summit and our 2017 Chicago CISO Executive Leadership Summit.