NCSC accuses China of targeting global MSPs in malicious cyber campaign

HPE and IBM are among firms reportedly targeted by state-linked ATP10 hackers in a campaign to steal trade secrets

Fingerprint on a Chinese key on a keyboard to denote cyber crime

The UK, US Australia and a host of allies have accused China of spearheading a malicious cyber campaign against global enterprises, reported to include the likes of HPE and IBM.

The National Cyber Security Centre (NCSC) issued an alert yesterday warning businesses across the UK that they face a renewed threat from the ATP10 hacking group, acting on behalf of the Chinese Ministry of State Security.

The UK's cyber advisory body assessed "with the highest level of probability" that ATP10 is responsible for a sustained cyber campaign focused on large-scale service providers in order to access commercial secrets.

Although the impact of an attacker's infiltration may be difficult to quantify at first, businesses are advised to examine the loss of intellectual property (IP) and the financial cost of data theft. 

ATP10 are also known to exfiltrate vast quantities of personal data, with a successful compromise risking hefty financial penalties under the EU's General Data Protection Regulation (GDPR).

IBM and HPE reportedly among those targeted

The nature of the infection mainly arises through a malware known as Quasar RAT, a publicly available remote administration tool, that ATP10 has deployed since 2017. The group also uses RedLeaves and PlugX, although Quasar RAT is more prevalent in the UK.

"APT10 remains a significant and widespread threat to UK organisations of all sizes and affiliations. Its successful targeting of MSPs in recent years has afforded it a means to access networks globally on a vast scale," the NCSC's alert said.

"Nonetheless, the targeting methods used are not highly sophisticated and in many cases their impact can be mitigated through the implementation of basic security measures. 

"If evidence of malicious activity is found on an organisation's network, full investigation and remediation is strongly advised, with guidance from an experienced Cyber Incident Response company."

Reuters meanwhile has identified two managed service providers (MSPs) targeted as part of the Cloud Hopper campaign as IBM and Hewlett Packard Enterprise (HPE). But national cyber security agencies are refusing to identify any targets by name.

Hackers working on behalf of the Chinese government breached the HPE and IBM networks, according to sources speaking with Reuters, and then used this access to hack into their clients' computers.

The NCSC says it is aware of current malicious activity affecting UK organisations across a range of sectors, and that the ATP10-led attacks are "almost certainly" facilitated by the group first targeting MSPs and other outsourcing providers.

Accusing China in a national security first

The UK Foreign Office has declared the incident as evidence that elements of the Chinese government are not upholding a host of international commitments. Specifically among these is a G20 commitment that no country should engage in cyber espionage or IP and trade secrets theft against firms based in other G20 nations.

"This campaign is one of the most significant and widespread cyber intrusions against the UK and allies uncovered to date, targeting trade secrets and economies around the world," said the foreign secretary Jeremy Hunt.

"Our message to governments prepared to enable these activities is clear: together with our allies, we will expose your actions and take other necessary steps to ensure the rule of law is upheld."

The joint-announcement comes shortly after the US president's former cyber security advisor Rob Joyce sounded a warning that Chinese hacking attempts against the US are surging.

The former NSA senior intelligence officer said that while the Chinese hacking threat has predominately focused on stealing IP and commercial secrets, there appears to be a transition to targeting critical infrastructure.

Investigators, for instance, have suggested the cyber attack against Marriot's Starwood hotel chain, which affected 500 million guests, originated from hackers based in China.

This is the first time the UK government has publicly named elements of the Chinese state as being responsible for a cyber campaign, having previously fingered North Korea for WannaCry, as well as naming Iran and Russia for several separate incidents.

Stealing corporate secrets for tech advantage

"Firstly, it's clear that the UK and US believe that China are using state intelligence capability to target western companies," said ITC Secure's director of cyber advisory Malcolm Taylor.

"All companies have incredibly valuable things to protect - but far from all of them protect their secrets as they should. This is yet another reminder that companies of all sizes across different sectors should take all the necessary steps to protect themselves.

"Secondly, it's a fascinating diplomatic move to go public now. It comes after the Huawei affair, the apparently reactive arrests in China of Canadian business people, and the trade war, and it looks like an extension of those by other means. 

McAfee's CTO Steve Grobman, meanwhile, said studies have shown this form of intellectual property theft accounts for a quarter of an estimated $600 billion annual economic loss inflicted by cybercriminals.

"In a technology-driven age, nations and industries will succeed or fail in part based on how effectively they can develop, implement, and protect new technologies," he said. 

"The theft of the intellectual property behind these technologies can provide tremendous technical advantages without the investments of capital, human talent, or other foundational elements associated with innovation. 

"Such advantages can be applied to enhance the competitiveness of a nation's businesses as well as the potency of its armed forces."

The NCSC has issued several mitigating steps that firms can implement, if they're suspected of having been targeted, including using multi-factor authentication (MFA) across the organisation, and whitelisting applications.

NCSC guidance also recommends that businesses contact their MSP, if they are a customer, and ask them how their organisation is handling the situation.

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now


What is cyber warfare?

What is cyber warfare?

22 Sep 2020
TikTok vulnerability exposed private user data
data protection

TikTok vulnerability exposed private user data

26 Jan 2021
SonicWall hacked via zero-day flaw in remote access tools

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021
Best ransomware removal tools

Best ransomware removal tools

22 Jan 2021

Most Popular

WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021