Operation “Cloud Hopper” or Advanced Persistent Threat (APT) group 10 is focusing on compromising managed service providers (MSPs) to gain access to their customers’ systems. This is a stark reminder of how dangerous the internet landscape is for both end-users and IT providers.
It should come as no surprise that MSPs and IT providers make for excellent targets for cybercriminals—the compromise of a single MSP can give access to multiple networks. This is something we have been publicly talking about for upwards of two years.
You can read the full PwC/BAE Systems report here (PDF warning)
The Executive Summary states:
“Operation Cloud Hopper, has targeted managed IT service providers (MSPs), allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally.
“APT10 has recently unleashed a sustained campaign against MSPs. The compromise of MSP networks has provided broad and unprecedented access to MSP customer networks.
In some sense, it’s almost flattering the MSP community has its own cyber protagonist; and for those MSPs and IT Providers obsessing about ransomware infections, the revelation of a justifiable some-what-scary APT group makes everyone concerned. However, here are some key items to take away from this and help ensure you’re on your guard:
For all its sophistication, APT10 starts its attacks with a Phishing email, just like almost every common ransomware attack. If you are filtering email for your customers and for your own MSP organization, this is a great first-line of defense.
This means controlling administrative privileges (for your customers too), using application and IP whitelisting, implementing Two-Factor Authentication (2FA), GPOs, and other security measures to control where and how applications can be installed.
APT10 will try and compromise an MSP end-point with a Trojan to get credentials to use against your customers, don’t make it easy for them.
APT10 is primarily interested in conducting espionage activities and exfiltration of data.
This is especially key for those relating to indications of compromise, typo squatting, and account tampering. Our data science team has invested a great deal of time and effort in warning against session hijack, password re-use, and account brute-force attacks to let you know if there may be a problem. So, if you receive a warning that something strange has been detected, it’s time to investigate.
I urge everyone to read the APT10 report. It is an excellent way for MSPs to examine their own security and open a discussion with customers on increasing the security for organizations at risk.