NCSC accuses China of targeting global MSPs in malicious cyber campaign

Fingerprint on a Chinese key on a keyboard to denote cyber crime

The UK, US Australia and a host of allies have accused China of spearheading a malicious cyber campaign against global enterprises, reported to include the likes of HPE and IBM.

The National Cyber Security Centre (NCSC) issued an alert yesterday warning businesses across the UK that they face a renewed threat from the ATP10 hacking group, acting on behalf of the Chinese Ministry of State Security.

The UK's cyber advisory body assessed "with the highest level of probability" that ATP10 is responsible for a sustained cyber campaign focused on large-scale service providers in order to access commercial secrets.

Although the impact of an attacker's infiltration may be difficult to quantify at first, businesses are advised to examine the loss of intellectual property (IP) and the financial cost of data theft.

ATP10 are also known to exfiltrate vast quantities of personal data, with a successful compromise risking hefty financial penalties under the EU's General Data Protection Regulation (GDPR).

IBM and HPE reportedly among those targeted

The nature of the infection mainly arises through a malware known as Quasar RAT, a publicly available remote administration tool, that ATP10 has deployed since 2017. The group also uses RedLeaves and PlugX, although Quasar RAT is more prevalent in the UK.

"APT10 remains a significant and widespread threat to UK organisations of all sizes and affiliations. Its successful targeting of MSPs in recent years has afforded it a means to access networks globally on a vast scale," the NCSC's alert said.

"Nonetheless, the targeting methods used are not highly sophisticated and in many cases their impact can be mitigated through the implementation of basic security measures.

"If evidence of malicious activity is found on an organisation's network, full investigation and remediation is strongly advised, with guidance from an experienced Cyber Incident Response company."

Reuters meanwhile has identified two managed service providers (MSPs) targeted as part of the Cloud Hopper campaign as IBM and Hewlett Packard Enterprise (HPE). But national cyber security agencies are refusing to identify any targets by name.

Hackers working on behalf of the Chinese government breached the HPE and IBM networks, according to sources speaking with Reuters, and then used this access to hack into their clients' computers.

The NCSC says it is aware of current malicious activity affecting UK organisations across a range of sectors, and that the ATP10-led attacks are "almost certainly" facilitated by the group first targeting MSPs and other outsourcing providers.

Accusing China in a national security first

The UK Foreign Office has declared the incident as evidence that elements of the Chinese government are not upholding a host of international commitments. Specifically among these is a G20 commitment that no country should engage in cyber espionage or IP and trade secrets theft against firms based in other G20 nations.

"This campaign is one of the most significant and widespread cyber intrusions against the UK and allies uncovered to date, targeting trade secrets and economies around the world," said the foreign secretary Jeremy Hunt.

"Our message to governments prepared to enable these activities is clear: together with our allies, we will expose your actions and take other necessary steps to ensure the rule of law is upheld."

The joint-announcement comes shortly after the US president's former cyber security advisor Rob Joyce sounded a warning that Chinese hacking attempts against the US are surging.

The former NSA senior intelligence officer said that while the Chinese hacking threat has predominately focused on stealing IP and commercial secrets, there appears to be a transition to targeting critical infrastructure.

Investigators, for instance, have suggested the cyber attack against Marriot's Starwood hotel chain, which affected 500 million guests, originated from hackers based in China.

This is the first time the UK government has publicly named elements of the Chinese state as being responsible for a cyber campaign, having previously fingered North Korea for WannaCry, as well as naming Iran and Russia for several separate incidents.

Stealing corporate secrets for tech advantage

"Firstly, it's clear that the UK and US believe that China are using state intelligence capability to target western companies," said ITC Secure's director of cyber advisory Malcolm Taylor.

"All companies have incredibly valuable things to protect - but far from all of them protect their secrets as they should. This is yet another reminder that companies of all sizes across different sectors should take all the necessary steps to protect themselves.

"Secondly, it's a fascinating diplomatic move to go public now. It comes after the Huawei affair, the apparently reactive arrests in China of Canadian business people, and the trade war, and it looks like an extension of those by other means.

McAfee's CTO Steve Grobman, meanwhile, said studies have shown this form of intellectual property theft accounts for a quarter of an estimated $600 billion annual economic loss inflicted by cybercriminals.

"In a technology-driven age, nations and industries will succeed or fail in part based on how effectively they can develop, implement, and protect new technologies," he said.

"The theft of the intellectual property behind these technologies can provide tremendous technical advantages without the investments of capital, human talent, or other foundational elements associated with innovation.

"Such advantages can be applied to enhance the competitiveness of a nation's businesses as well as the potency of its armed forces."

The NCSC has issued several mitigating steps that firms can implement, if they're suspected of having been targeted, including using multi-factor authentication (MFA) across the organisation, and whitelisting applications.

NCSC guidance also recommends that businesses contact their MSP, if they are a customer, and ask them how their organisation is handling the situation.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.