Chinese hackers have done the math and have figured out that infiltrating the third-party companies that store confidential details about big businesses is more efficient than attacking each of those firms individually, Department of Homeland Security and information security analysts said.
"You can outsource your operations but you cannot outsource your risk,” Bradford Wilkie, head of stakeholder engagement at the Department of Homeland Security’s cyber division said during a Feb. 6 briefing.
The Department of Homeland Security and the information security firms, Recorded Future and Rapid 7, said that the Chinese government sponsored group APT10 is responsible for attacking third-party companies that could leave the door open to a broad swath of potential victims. Examples of third-party companies include cloud service providers, data storage companies, internet providers and credit card companies.
“Malicious cyber actors working on behalf of the Chinese government have been targeting managed cloud service providers,” Wilkie said.
The Chinese embassy in Washington D.C. did not respond to a request for comment.
DHS officials specifically warned about the Cloud Hopper campaign, one that targets managed service providers who store sensitive details from the finance, telecommunications, biotechnology, consulting, and automotive industries. The Chinese hacking campaign is not limited to one location and has been spotted on every continent, according to a Homeland Security slide.
“This actor sweeps up collateral targets of opportunity, in addition to their primary targets of interest,” another slide said.
“In general, they are using widely available tools or living-off-the-land,” said Casey Kahsen, an incident response engagement lead at the Department of Homeland Security. “That’s part of what makes attribution so difficult.”
The hacking effort is tied to China’s five-year plan that promotes economic growth in the fields of robotics, next-generation information technology and biotechnology, according to the Department of Homeland Security.
Recorded Future and Rapid 7 also released a joint report Feb. 6 that warned of hackers targeting third-party service providers. The report cited the infiltration of Visma, a Norway-based cloud services provider worth more than $1 billion as an example.
“We assess that APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks, and not of stealing Visma intellectual property,” the joint report said.
An international apparel company and a U.S. law firm with experience in intellectual property law were also targeted by similar campaigns, the report said.
“It’s a lot more efficient to victimize a managed service provider if you know that 10 of your potential targets use that managed service provider for say, internet access,” said Priscilla Moriuchi, director of strategic threat development at Recorded Future told Fifth Domain.
“The global business community doesn’t have a handle on” supply chain management," Moriuchi said. “Attackers know that. In this case we’ve seen the [Chinese] Ministry of State Security. The [Russian] GRU and likely a lot of others in the future are going to be employing a technique to attack third-party supply chains.”
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.