The latest annual Threat Report by the Federal Government’s Australian Cyber Security Centre (ACSC) has flagged a growing occurrence of private sector IT services providers and IT security firms being the target of malicious cyber attacks.
“Also worthy of highlighting has been the global campaign by advanced adversaries to compromise some private sector providers of ICT services, including ICT security” the report stated.
“Some managed services providers and ICT providers around the world, including in Australia, have been compromised by these adversaries.
“And of concern, we know that through this compromise, adversaries have accessed the networks of some of these companies’ clients."
Indeed, the ACSC said that cyber adversaries have increased their targeting of trusted third parties, particularly service providers.
Such companies are highly attractive targets because they can enable secondary and tertiary access into a range of primary targets, according to the Centre.
“Some Australian networks of global service providers have been compromised, and through them, so have some of their customer's networks,” the report stated.
In April, the ACSC revealed that Australian managed service providers (MSPs) were among the organisations that were targeted by a cyber threat actor thought to be based in China, known as APT10.
At the time, the ACSC even issued a warning to local enterprises, encouraging Australian companies that engage their MSPs and to speak to their respective providers about the potential risks arising from the global threat.
Now, the Centre has expanded upon the seeming increasingly prominent role MSPs appear to be playing in the various attack vectors that are being employed by cyber criminals and other digital adversaries.
“[MSPs] are increasingly targeted as a means to compromise the networks and data of their customers including government, military, and business organisations,” the report stated.
“They are a very attractive compromise target for sophisticated adversaries as they have a broad range of customers, connectivity and accesses to their customers’ networks and data, and present opportunities for further network exploitation.
“Compromising MSPs can also be efficient tradecraft for malicious cyber adversaries. By compromising an MSP, a sophisticated cyber adversary can gain access to the data or networks of many MSP customers in one action," it said.
"The ACSC has observed the compromise of Australian arms of multinational MSPs; and also observed adversaries using the compromise of the MSP to subsequently compromise the MSP’s customers.”
In early 2017, according to the report, the ACSC became aware of the compromise of the Australian arm of a multinational construction services company.
The Australian Signals Directorate (ASD) and CERT Australia provided joint incident response services to the company, and through analysis the organisations were able to identify that the Australian network was compromised through the unnamed company’s relationship with its MSP.
“An account associated with the MSP was used by the malicious adversary to install malware on the victim network. The account was created by the victim organisation, specifically for the service provider to log on and access the victim’s network – this setup is typical of many MSP customer relationships,” the ACSC said.
Read more on the next page...