NCSC accuses China of targeting global MSPs in malicious cyber campaign

HPE and IBM are among firms reportedly targeted by state-linked ATP10 hackers in a campaign to steal trade secrets

Fingerprint on a Chinese key on a keyboard to denote cyber crime

The UK, US Australia and a host of allies have accused China of spearheading a malicious cyber campaign against global enterprises, reported to include the likes of HPE and IBM.

The National Cyber Security Centre (NCSC) issued an alert yesterday warning businesses across the UK that they face a renewed threat from the ATP10 hacking group, acting on behalf of the Chinese Ministry of State Security.

The UK's cyber advisory body assessed "with the highest level of probability" that ATP10 is responsible for a sustained cyber campaign focused on large-scale service providers in order to access commercial secrets.

Although the impact of an attacker's infiltration may be difficult to quantify at first, businesses are advised to examine the loss of intellectual property (IP) and the financial cost of data theft. 

Advertisement - Article continues below
Advertisement - Article continues below

ATP10 are also known to exfiltrate vast quantities of personal data, with a successful compromise risking hefty financial penalties under the EU's General Data Protection Regulation (GDPR).

IBM and HPE reportedly among those targeted

The nature of the infection mainly arises through a malware known as Quasar RAT, a publicly available remote administration tool, that ATP10 has deployed since 2017. The group also uses RedLeaves and PlugX, although Quasar RAT is more prevalent in the UK.

"APT10 remains a significant and widespread threat to UK organisations of all sizes and affiliations. Its successful targeting of MSPs in recent years has afforded it a means to access networks globally on a vast scale," the NCSC's alert said.

"Nonetheless, the targeting methods used are not highly sophisticated and in many cases their impact can be mitigated through the implementation of basic security measures. 

"If evidence of malicious activity is found on an organisation's network, full investigation and remediation is strongly advised, with guidance from an experienced Cyber Incident Response company."

Reuters meanwhile has identified two managed service providers (MSPs) targeted as part of the Cloud Hopper campaign as IBM and Hewlett Packard Enterprise (HPE). But national cyber security agencies are refusing to identify any targets by name.

Advertisement - Article continues below

Hackers working on behalf of the Chinese government breached the HPE and IBM networks, according to sources speaking with Reuters, and then used this access to hack into their clients' computers.

The NCSC says it is aware of current malicious activity affecting UK organisations across a range of sectors, and that the ATP10-led attacks are "almost certainly" facilitated by the group first targeting MSPs and other outsourcing providers.

Accusing China in a national security first

The UK Foreign Office has declared the incident as evidence that elements of the Chinese government are not upholding a host of international commitments. Specifically among these is a G20 commitment that no country should engage in cyber espionage or IP and trade secrets theft against firms based in other G20 nations.

"This campaign is one of the most significant and widespread cyber intrusions against the UK and allies uncovered to date, targeting trade secrets and economies around the world," said the foreign secretary Jeremy Hunt.

Advertisement - Article continues below

"Our message to governments prepared to enable these activities is clear: together with our allies, we will expose your actions and take other necessary steps to ensure the rule of law is upheld."

The joint-announcement comes shortly after the US president's former cyber security advisor Rob Joyce sounded a warning that Chinese hacking attempts against the US are surging.

Advertisement - Article continues below

The former NSA senior intelligence officer said that while the Chinese hacking threat has predominately focused on stealing IP and commercial secrets, there appears to be a transition to targeting critical infrastructure.

Investigators, for instance, have suggested the cyber attack against Marriot's Starwood hotel chain, which affected 500 million guests, originated from hackers based in China.

This is the first time the UK government has publicly named elements of the Chinese state as being responsible for a cyber campaign, having previously fingered North Korea for WannaCry, as well as naming Iran and Russia for several separate incidents.

Stealing corporate secrets for tech advantage

"Firstly, it's clear that the UK and US believe that China are using state intelligence capability to target western companies," said ITC Secure's director of cyber advisory Malcolm Taylor.

"All companies have incredibly valuable things to protect - but far from all of them protect their secrets as they should. This is yet another reminder that companies of all sizes across different sectors should take all the necessary steps to protect themselves.

"Secondly, it's a fascinating diplomatic move to go public now. It comes after the Huawei affair, the apparently reactive arrests in China of Canadian business people, and the trade war, and it looks like an extension of those by other means. 

Advertisement - Article continues below

McAfee's CTO Steve Grobman, meanwhile, said studies have shown this form of intellectual property theft accounts for a quarter of an estimated $600 billion annual economic loss inflicted by cybercriminals.

"In a technology-driven age, nations and industries will succeed or fail in part based on how effectively they can develop, implement, and protect new technologies," he said. 

Advertisement - Article continues below

"The theft of the intellectual property behind these technologies can provide tremendous technical advantages without the investments of capital, human talent, or other foundational elements associated with innovation. 

"Such advantages can be applied to enhance the competitiveness of a nation's businesses as well as the potency of its armed forces."

The NCSC has issued several mitigating steps that firms can implement, if they're suspected of having been targeted, including using multi-factor authentication (MFA) across the organisation, and whitelisting applications.

NCSC guidance also recommends that businesses contact their MSP, if they are a customer, and ask them how their organisation is handling the situation.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now



What is cyber warfare?

20 Sep 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

cloud computing

Google Cloud snaps up multi-cloud analytics platform for $2.6bn

13 Feb 2020

How to use Chromecast without Wi-Fi

5 Feb 2020
Microsoft Azure

Microsoft Azure is a testament to Satya Nadella’s strategic nouse

14 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020