Australian managed service providers (MSPs) are among those that have been targeted by a cyber threat actor thought to be based in China, known as APT10.
The Australian Cyber Security Centre (ACSC) issued a warning to local enterprises on 4 April, encouraging Australian companies that engage MSPs to speak to their respective providers about the potential risks arising from the global threat,
The ACSC has also called on local MSPs to make sure their clients have not been affected by the global cyber espionage campaign.
“We have strongly encouraged affected Managed Service Providers to identify whether any of their clients have been compromised and work closely with them,” the ACSC said.
According to the ACSC, MSPs have been targeted in a global cyber campaign since at least mid-2016, including some companies that also operate in Australia.
“Clients of these Managed Service Providers in both the public and the private sector could be affected,” the ACSC said in a statement. “We have no evidence at this stage to suggest the general public or small to medium enterprises are being targeted.
“The Australian Cyber Security Centre is working with international partners and the private sector to establish the scale and impact on Australia,” it stated. “The compromises identified to date likely represent only a small proportion of the activity.”
The ACSC said that the cyber actor in question has used widely known intrusion tools in a sustained malicious cyber campaign targeting major international MSPs.
The Centre has provided information to government agencies and CERT Australia's industry partners to be able to recognise the malicious activity and take steps to mitigate it.
“There is also significant public information, including indicators of compromise, for this malicious cyber activity and the actors associated - generally known as APT10,” the ACSC said.
The ACSC’s warning to local companies follows a joint investigation by PricewaterhouseCoopers (PwC) and BAE Systems into a campaign of intrusions against several major MSPs.
Since late 2016, the two companies have been collaborating to research the threat, brief the global security community and assist known victims.
The threat actor behind the campaign is widely known within the security community as ‘APT10’ (a.k.a. CVNX, Stone Panda, MenuPass, and POTASSIUM), referred to within PwC UK as ‘Red Apollo’.
The activity of the threat actor seems to have increased in mid-2016, and has focused on compromise of MSPs as a stepping stone into victim organisations, a report by the two companies said.
“The espionage campaign has targeted managed IT service providers (MSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally,” PwC UK said in a statement.
“This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organisation might be exposed to, either directly or through your supply chain,” the company said.
While the identity of the MSPs that have been targeted has not been revealed by PwC and BAE Systems, Australia is among the countries in which some of the companies that have been targeted reside.
According to the investigation report, once APT10 have a foothold in victim networks, using either legitimate MSP or local domain credentials, or their sustained malware such as PlugX, RedLeaves or Quasar RAT, they will begin to identify systems of interest.
“APT10 ‘pushes’ data from victim networks to other networks they have access to, such as other MSP or victim networks, then, using similar methods, ‘pulls’ the data from those networks to locations from which they can directly obtain it, such as the threat actor’s C2 servers,” the report stated.
From an MSP's perspective, according to BAE Systems, strong focus needs to be put on security architecture, network hardening, monitoring, detection and response.
“We would also suggest regular red-teaming or simulated targeted attack testing - performed by independent testers and leveraging intelligence from known attacks,” the company said.