Who was behind this unprecedented Cyber attack on Western infrastructure?

In late 2016, Cyber threat analysts in PwC and BAE Systems began assisting victims of a new global cyber espionage campaign. They named the campaign Operation Cloud Hopper.

Cloud Hopper turned out to be an attack of unprecedented scale that targeted companies known as “managed IT service providers”, or MSPs. Because MSPs manage the IT systems of hundreds of clients, the technique used by the Cloud Hopper attackers was highly effective – they gained access not only to the sensitive data of the MSPs themselves, but also to their clients globally.

By attacking a handful of companies, the Cloud Hopper actors gained access to potentially thousands of networks.

The Cloud Hopper analysis by PwC and BAE Systems

APT10 was behind Cloud Hopper

PwC and BAE assessed that Operation Cloud Hopper was almost certainly managed by the threat actor known within the Information Security community as “APT10”. This assessment was based on the group’s highly interconnected network of infrastructure, which had connections with APT10’s previous operations. The Palo Alto Networks report menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations shows that a series of old APT10 command and control (C2) domains (including cmdnetview[.]com) associated with servers that were later used by the Cloud Hopper group.

The Cloud Hopper report released by PwC and BAE assessed that APT10 had significantly increased its scale and capability since early 2016 and was focused on espionage activity by targeting intellectual property and other sensitive data.

It was also assessed at the time that APT10 was highly likely to be a China-based threat actor, based on a series of clues including the compile times of binaries, registration times of domains, activity indicating a pattern of work in line with China Standard Time and a mix of diplomatic and political targets being closely aligned with China’s strategic interests.

Cloud Hopper analysis showing activity during working day in UTC+8 timezone

So what?

Analysts working with this blog have spent the last year investigating the most damaging attacks to hit Western companies, starting with APT10.

We have identified a number of individuals behind the attack and the companies with which they have been associated.

We plan to tell the story – check back for more over the next month…

Article Link: https://intrusiontruth.wordpress.com/2018/07/17/who-was-behind-this-unprecedented-cyber-attack-on-western-infrastructure/