What do I need to know about the MSP hack? 21 Dec 2018


What's going on?

On Thursday, the United States Justice Department made an indictment against two members of APT10, acting in association with the Chinese government [0]. APT10, an advanced persistent threat, has been targeting managed service providers (MSPs) around the world since 2014. Organisations from over fourteen countries were affected, including Australia.

This indictment has spurred a flurry of new stories this morning, including a publication from the ACSC [1] and an interview with National Cyber Security Adviser, Alastair MacGibbon [2], who also attributes APT10 to the Chinese Government.

The nation-state attack on MSPs was covered extensively in 2017, as well as earlier this year [3] [4], and is known as "Cloud Hopper" [5]. This attack attempts to compromise the MSP with remote access trojans (RATs) delivered by phishing. By compromising MSPs, attackers are able to then target the MSP's clients.


What is APT10?

APT10 is also known as Stone Panda, MenuPass, and Red Apollo. An APT is skilled and persistent with more resources than other types of attackers, so they are usually sponsored by nation-states, or coordinated groups. When the APT10 MSP attacks were reported in 2017, there was only circumstantial evidence which pointed at Chinese timezone patterns. This indictment from the US Justice Department charges APT10 members Zhu Hua and Zhang Shilong, who acted in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau since 2006.


What should I tell my boss?

This is not a new threat, and we have known about it since early 2017. The reason it is in the news is that the United States Justice Department has indicted two Chinese nationals.

You can also point out which of the controls in this document you have implemented to mitigate the risks associated with engaging with an MSP: "How to manage your network security when engaging a Managed Service Provider" [6]


What you should do

At the time of writing, here are the Indicators of Compromise from our MISP event:
https://www.auscert.org.au/publications/2018-12-21-apt10-msp-breach-iocs

We recommend running these against your systems and logs.

While a list of affected MSPs isn't publicly known, the ACSC has contacted any MSPs they know to have been affected. If you have any concerns, we recommend you contact your MSP, as they will be able to provide more information about their situation.

You can also take this opportunity to update your risk registers and incident plans for any information and services you have hosted with a third party provider. Perhaps you could make it a start or end of year routine?

 

With that said, have a relaxing holiday season - we hope you don't have to play too much family tech support!

 

[0] https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion
[1] https://cyber.gov.au/msp-global-hack/
[2] https://www.abc.net.au/radionational/programs/breakfast/australian-businesses-hit-by-audacious-global-hacking-campaign/10645274
[3] https://www.arnnet.com.au/article/617425/aussie-msps-targeted-global-cyber-espionage-campaign/
[4] https://www.securityweek.com/dhs-warns-attacks-managed-service-providers
[5] https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
[6] https://cyber.gov.au/business/publications/msp-risk-for-clients/


« Back to all blog entries