An advanced persistent threat group linked to the Chinese government accused of conducting a widespread cyber espionage campaign against IT service providers has gone quiet since two of its members were indicted by the Department of Justice last year, according to a Department of Homeland Security official, but it remains an active threat to American businesses, and most recently, in the Philippines.
The group, known as APT 10, has a history of targeting the U.S. technology supply chain. In recent years, it has begun focusing attention on compromising managed service and cloud providers who often remotely manage IT systems and store data on behalf of client companies and — when compromised — can offer hackers wider access to the networks of multiple businesses.
Rex Booth, chief of cyber threat analysis at the Cyber-security and Infrastructure Security Agency, said at a DHS webinar held Feb. 6, the campaign against IT service providers started in 2014 and continued through 2018.
The campaign is part of a larger strategic shift by APT10 in recent years from “labor intensive, one-off compromises of individual targets” to “force multiplier effects that enable them to compromise multiple targets through a single attack.”
Former White House Cyber-security Coordinator and National Security Agency Senior Advisor Rob Joyce said on the information security podcast Risky Business this month that threats to U.S. managed service providers from Chinese hackers remain “a real and present commercial threat.”
U.S. officials say the primary targets from the campaign were companies who support commercial activities that align with priorities listed in China’s 2025 plan to become a global leader in emerging technologies.
The technological focus of affected companies listed in the December 2018 indictment, including satellites, aviation, telecommunications, industrial factory automation, biotechnology, mining and others, “reads like a shopping list from China’s strategic plans,” Booth said.
The group uses a few unique tools to attack providers but mostly relies on common attack vectors like spear-phishing and identity-theft of login credentials, especially for users with elevated access.
Intelligence and law enforcement agencies are also making a concerted push to discourage businesses and countries around the world from doing business with Chinese telecommunications firm Huawei and other Chinese companies when building out their 5G networks. CISA leadership has indicated that communicating the threat posed by China to the technology supply chain and 5G will be one of the top priorities for the agency this year, according to a DHS source familiar with internal deliberations.