Wednesday, 12 April 2017
Detecting & Preventing APT10 Operation Cloud Hopper
There has been much concern over a state-sponsor threat known as APT10 Operation Cloud Hopper, also known as Stone Panda, after the UK National Cyber Security Centre (NCSC) recently spooked UK businesses and their suppliers about a Chinese threat actor posing a serious threat to IT Managed Service Providers (MPS) and their UK clients.
Overview of the Threat
APT10, a Chinese-based hacking group also known as Stone Panda, MenuPass, CVNX, and Potassium is operating a hacking campaign known as Operation Cloud Hopper, which is believed to have been underway since 2014. There are intelligence reports which indicate the APT10 threat actor has significantly upscaled their capabilities and attack sophistication in early 2016. The APT10 Cloud Hopper campaign focuses on sending malware infected emails to staff working at IT Managed Service Providers (MPS), once executed the malware creates a backdoor which allows the attacker remote access to the MSP's backend systems. From there the attackers are able to navigate the MSP network and identify external connections with the MSP clients, which are their actual targets. These network channels are then used to steal data from those clients, data which is packaged and exhilarated through the MSP remote connection. These backdoors are known to remain undetected for months, due to the use of tailored malware which is undetectable by anti-virus and security monitoring systems.
So how do you know if your business has been infiltrated or is being attacked by APT10, aside from the NCSC informing you are a victim?
PwC and BAE Systems have been assisting NCSC with APT10, have produced a list of known source IP addresses of the attackers, which can be imported into security monitoring solutions such as firewalls, IDS/IPS, proxy servers, content filtering and SIEM \ log management solutions. Any hits against these IP addresses would be highly concerning, in such scenarios I would recommend unplugging the network cable (and not powering off) all suspect systems, and then seeking help from external qualified and experienced digital forensic investigator if you don’t have one to hand in your business. There are other known APT10 IP addresses to be found within the NCSC CiSP forum, but you will have to sign up to get those here. https://www.ncsc.gov.uk/cisp
PwC and BAE Systems have also provided an extract list of known APT10 malicious MD5 file hashes (unique identifier for the known malicious APT10 related files).These MD5 hash lists can be used to scan for the presence of known malicious APT10 files on servers and workstations. I recommend importing those file MD5 hash lists into a scanner, such as the Nessus Vulnerability Scanner, and scanning the entire IT estate on a regular basis if your business is an IT MSP.
APT10 is Active and Here to Stay
Keep an eye on the NCSC, PwC and BAE Systems for updates about the APT10 threat, as they are likely to provide updated lists of known associated IP addresses and further MD5 file hashes as more incidents are investigated and intelligence comes to their attention. Given this threat actor is said to be still active and is known to be operational for several years, don't expect APT10 to be going away anytime soon, after all APT actually stands for Advanced 'Persistent' Threat. So if you are an IT MSP, it will be prudent to routinely check and update your lists of APT10 suspected IP addresses and MD5 file hashes to be monitored and regularly scanned.
Most anti-virus and web filtering vendors worth their salt should now be aware of this threat and should be keeping up-to-date with the latest APT10 related malware and associated IP addresses and file hashes as well, but it is well worth asking them about their position. It goes without saying that it is paramount to keep all security prevention and monitoring systems bang up-to-date, as is performing regular external and internal network vulnerability scans, and monitoring and acting upon any signs of compromise.