NCSC accuses China of targeting global MSPs in malicious cyber campaign

HPE and IBM are among firms reportedly targeted by state-linked ATP10 hackers in a campaign to steal trade secrets

Fingerprint on a Chinese key on a keyboard to denote cyber crime

The UK, US Australia and a host of allies have accused China of spearheading a malicious cyber campaign against global enterprises, reported to include the likes of HPE and IBM.

The National Cyber Security Centre (NCSC) issued an alert yesterday warning businesses across the UK that they face a renewed threat from the ATP10 hacking group, acting on behalf of the Chinese Ministry of State Security.

Advertisement - Article continues below

The UK's cyber advisory body assessed "with the highest level of probability" that ATP10 is responsible for a sustained cyber campaign focused on large-scale service providers in order to access commercial secrets.

Although the impact of an attacker's infiltration may be difficult to quantify at first, businesses are advised to examine the loss of intellectual property (IP) and the financial cost of data theft. 

ATP10 are also known to exfiltrate vast quantities of personal data, with a successful compromise risking hefty financial penalties under the EU's General Data Protection Regulation (GDPR).

IBM and HPE reportedly among those targeted

The nature of the infection mainly arises through a malware known as Quasar RAT, a publicly available remote administration tool, that ATP10 has deployed since 2017. The group also uses RedLeaves and PlugX, although Quasar RAT is more prevalent in the UK.

"APT10 remains a significant and widespread threat to UK organisations of all sizes and affiliations. Its successful targeting of MSPs in recent years has afforded it a means to access networks globally on a vast scale," the NCSC's alert said.

Advertisement - Article continues below
Advertisement - Article continues below

"Nonetheless, the targeting methods used are not highly sophisticated and in many cases their impact can be mitigated through the implementation of basic security measures. 

"If evidence of malicious activity is found on an organisation's network, full investigation and remediation is strongly advised, with guidance from an experienced Cyber Incident Response company."

Reuters meanwhile has identified two managed service providers (MSPs) targeted as part of the Cloud Hopper campaign as IBM and Hewlett Packard Enterprise (HPE). But national cyber security agencies are refusing to identify any targets by name.

Hackers working on behalf of the Chinese government breached the HPE and IBM networks, according to sources speaking with Reuters, and then used this access to hack into their clients' computers.

The NCSC says it is aware of current malicious activity affecting UK organisations across a range of sectors, and that the ATP10-led attacks are "almost certainly" facilitated by the group first targeting MSPs and other outsourcing providers.

Accusing China in a national security first

The UK Foreign Office has declared the incident as evidence that elements of the Chinese government are not upholding a host of international commitments. Specifically among these is a G20 commitment that no country should engage in cyber espionage or IP and trade secrets theft against firms based in other G20 nations.

Advertisement - Article continues below

"This campaign is one of the most significant and widespread cyber intrusions against the UK and allies uncovered to date, targeting trade secrets and economies around the world," said the foreign secretary Jeremy Hunt.

"Our message to governments prepared to enable these activities is clear: together with our allies, we will expose your actions and take other necessary steps to ensure the rule of law is upheld."

The joint-announcement comes shortly after the US president's former cyber security advisor Rob Joyce sounded a warning that Chinese hacking attempts against the US are surging.

Advertisement - Article continues below

The former NSA senior intelligence officer said that while the Chinese hacking threat has predominately focused on stealing IP and commercial secrets, there appears to be a transition to targeting critical infrastructure.

Investigators, for instance, have suggested the cyber attack against Marriot's Starwood hotel chain, which affected 500 million guests, originated from hackers based in China.

Advertisement - Article continues below

This is the first time the UK government has publicly named elements of the Chinese state as being responsible for a cyber campaign, having previously fingered North Korea for WannaCry, as well as naming Iran and Russia for several separate incidents.

Stealing corporate secrets for tech advantage

"Firstly, it's clear that the UK and US believe that China are using state intelligence capability to target western companies," said ITC Secure's director of cyber advisory Malcolm Taylor.

"All companies have incredibly valuable things to protect - but far from all of them protect their secrets as they should. This is yet another reminder that companies of all sizes across different sectors should take all the necessary steps to protect themselves.

"Secondly, it's a fascinating diplomatic move to go public now. It comes after the Huawei affair, the apparently reactive arrests in China of Canadian business people, and the trade war, and it looks like an extension of those by other means. 

Advertisement - Article continues below

McAfee's CTO Steve Grobman, meanwhile, said studies have shown this form of intellectual property theft accounts for a quarter of an estimated $600 billion annual economic loss inflicted by cybercriminals.

"In a technology-driven age, nations and industries will succeed or fail in part based on how effectively they can develop, implement, and protect new technologies," he said. 

"The theft of the intellectual property behind these technologies can provide tremendous technical advantages without the investments of capital, human talent, or other foundational elements associated with innovation. 

"Such advantages can be applied to enhance the competitiveness of a nation's businesses as well as the potency of its armed forces."

The NCSC has issued several mitigating steps that firms can implement, if they're suspected of having been targeted, including using multi-factor authentication (MFA) across the organisation, and whitelisting applications.

NCSC guidance also recommends that businesses contact their MSP, if they are a customer, and ask them how their organisation is handling the situation.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



What is cyber warfare?

16 Mar 2020

10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020

Hackers target Three customers with "sophisticated" phishing scam

26 Mar 2020