Cloud Hopper – Grass Hopper

This week’s revelation in shrieking headlines is that Chinese hackers have been aggressively and ruthlessly stealing the data of many companies around the world in an attack called Cloud Hopper, which barely raised the eyebrows of many in the security industry.

Certainly, PwC and BAE Systems have stirred up a hornet’s nest of a subsequent flurry of demands for information with their highly glossy, diagram rich analysis document and supporting technical detail, all fresh from their various PR/marketing, repro departments and third parties, many of whom will have themselves presumably suffered exploitation if you believe what you read.

IS this something we didn’t already know? We asked ourselves, printed out the aforementioned shiny publication and got down to some serious reading alongside a little bit of jealousy about the quality of the diagrams – they are the sort you would normally see in a fancy sales brochure, oh hang on a minute…

It was very reassuring to read that the report is ‘primarily fact-based’ and that where an assessment has been made, it is given a likelihood scoring when you cross reference the terminology in the document with a table of probabilistic language in the appendix. Pretty fancy stuff.

So down to the nitty-gritty. The report claims that PwC/BAE Systems in collaboration with the new UK National Cyber Security Centre (NCSC) under its Certified Incident Response (CIR) scheme has identified a vast targeted infiltration of businesses around the world by an attacking group named APT10 and most likely Chinese.

The attacks have been focussed on Managed Service Providers who are infiltrated and then the legitimate credentials they have to administer client’s infrastructure, servers, data etc. are then used via lateral infection and credential scraping to send as much data as possible back to the mothership located somewhere in the UTC+08 time zone, which does cover both China and Russia, although China are odds on favourites for a variety of supplemental reasons.

Some of this report is not new news, for instance in February this year, the activities of APT10 were reported in SecurityWeek online here.

What this identified was that the APT10 group, which has been known about since 2009, was using brand new malware (CheChes) in targeted attacks against Japanese interests, a point which is covered in detail in the PwC/BAE report which focuses on the move to new malware such as Quasar and Redleaves, which have been the subject of commentary from the likes of FireEye in the past.

So yes, we have known for some time that Chinese Actors are ruthlessly, successfully attacking companies from around the world. What we probably didn’t know and is brought very sharply into focus in this report is the efficiency, efficacy and scale of the infiltration and importantly the fact that it has become an attack against the supply chain which is used to traverse to the lovely, shiny data for mining. It seems that an awful lot of large MSPs may well have been compromised already.

If you use the services of an MSP that has credentials or direct access to your data and systems, you should ask them what they are doing to look for Indicators of Compromise, which have very helpfully been provided by PwC (see below) and set about changing credentials and looking inside your own systems for the same IoCs.

Towards the end of the report is this gem (it is in bold italic):

This campaign serves to highlight the importance of organisations having a comprehensive view of their threat profile, including that of their supply chain’s (sic). More broadly, it should also encourage organisations to fully assess the risk posed by their third party relationships and prompt them to take appropriate steps to assure and manage these.

I wonder where one could look to get some business consultancy or audit capability to help with this now that we know that our auditors and accountants are also cyber ninjas?

The report is here.

If you would like to discuss Cloud Hopper, APT10 or any of the issues raised by this report, please contact us at: [email protected] or call 020 7517 3900 – and before you ask, we have looked for IoCs in our environment and found none, we are building some use cases for our managed security platform around this issue and will be updating our customers appropriately.