Recent Media Reports on Operation Cloud Hopper

The Threat

eSentire has been tracking operation Cloud Hopper since its emergence in 2014. Cloud Hopper is a campaign that is conducted by the Chinese hacking group known as APT10 (Stone Panda) and targets Managed Service Providers (MSPs). Recent reporting from the Wall Street Journal states that operation Cloud Hopper is significantly larger and has affected more companies than previously believed [1]. eSentire continues to monitor for this campaign and has not detected it against eSentire.

What we’re doing about it

• eSentire continues to run detection rules for known APT10 related indicators that were deployed during Cloud Hopper’s emergence.
• eSentire will continue to communicate impactful changes in Cloud Hopper activity as they are identified.

What you should do about it

• Ensure supply chain partners are employing best security practices
• Restrict VPN traffic for partner organizations and MSPs via a dedicated VPN connection
• Employ Multi-Factor Authentication (MFA) for access to email and VPN services
• Apply the principle of least privileged to MSP accounts
• Enable VPN logging
• See US-CERT Briefing Chinese Cyber Activity Targeting Managed Service Providers for additional recommendations [2]

Additional information

• The main goal of operation Cloud Hopper appears to be the theft of commercial secrets.
• It is believed that at least twelve individual MSPs were compromised during operation Cloud Hopper. CGI Group Inc, Tieto Oyj, and International Business Machines Corp (IBM) were all affected; the full list of MSPs is not currently public knowledge.

Tactics, Techniques & Procedures (TTPS)

• Threat Actors may gain initial access to MSP networks through phishing or spear-phishing documents
• APT 10 uses a combination of custom malware and commodity malware to establish persistence on infected systems
• Living off the land tools and stolen credentials are used for lateral movement between networks
• Sensitive data is exfiltrated via MSP networks in order to camouflage the theft
• It has been speculated that exfiltrated data from multiple compromised companies is sent to one MSP and centralized before the final theft of information

Known Affected Industries [2]:

• Financial
• Telecommunications
• Consumer Electronics
• Manufacturing
• Consulting, Healthcare
• Biotechnology
• Mining
• Automotive
• Drilling

Timeline:

• 2014: Believed start date of Cloud Hopper campaign
• 2016: The rate of attacks related to Cloud Hopper Increase
• April 2017: PwC UK in collaboration with BAE Systems released the first report on Cloud Hopper
• 2017-2018: Attacks continue despite public release of information
• December 2018: Two Chinese Nationals charged for their part in the campaign
• June 2019: Additional details become available after report by Reuters [3]
• December 2019: WSJ announces the scope of Cloud Hopper was significantly larger than previously believed [1]

References:

[1] https://www.wsj.com/articles/ghosts-in-the-clouds-inside-chinas-major-corporate-hack-11577729061

[2] https://www.us-cert.gov/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf

[3] https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper/