UK BUSINESSES are being targeted by Chinese hackers in a series of attacks focused on compromising managed IT service providers and their clients.
The warning comes as a result of joint research by consultants PwC UK and BAE Systems' IT security arm, which also drew on expertise from the UK National Cyber Security Centre's (NCSC) Certified Incident Response (CIR) scheme.
The report suggests that the attacks have been taking place since at least 2014, with more activity than average in the past year.
The researchers say that the attackers are "widely known within the security community as 'APT10'" and that the ‘Cloud Hopper' campaign the study identified was simultaneously used in targeted attacks against Japanese companies as well.
The report states that APT10 is widely recognised as a threat that emanates from China.
This is by no means the first campaign attributed to APT10, a group that has existed since at least 2009 and has been known to switch its approach when needed. In 2013, following FireEye's disclosure of how the Poison Ivy malware family works, the group re-tooled before re-commencing activities.
This is no one-person attack, either. APT10 is thought to have teams of people working in shifts on their own distinct areas of responsibility and expertise.
"As a result of our analysis of APT10's activities, we believe that it almost certainly benefits from significant staffing and logistical resources, which have increased over the last three years, with a significant step-change in 2016," the report claims.
"Due to the scale of the threat actor's operations throughout 2016 and 2017, we similarly assess it currently comprises multiple teams, each responsible for a different section of the day-to-day operations, namely domain registration, infrastructure management, malware development, target operations, and analysis."
The true goal of targeting IT service providers, according to the researchers, is to gain entry to the "unfettered and direct access" they should have to clients' networks, as well as the swathes of data they might also have stored.
The malware used by APT10 is classified in two different ways: tactical and sustained. The former (EvilGrab, ChChes, RedLeaves) is designed to be disposable and is delivered via a spear phishing attack.
Once successfully into a target system, the ‘sustained' malware (Poison Ivy, PlugX, Quasar) enables long-term remote access and the ability to carry out higher-level tasks.
Organisations that have fallen victim to APT10 in this attack have already been warned by the two companies and the NCSC, according to the BBC. µ
Join INQ's sister site Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.
Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.
Attendance is free to qualifying IT professionals and IT leaders - register now!
Liberté, égalité, no piracy
We've had no luck so you don't have to...
Oh Microsoft... not again...
Hmmm... says Microsoft