Operation Cloudhopper (2017)
Jump to navigation Jump to search
|Date||The campaign has been active since at least 2016, continuing throughout 2018. A report published by PwC and BAE systems exposed the cyberespionage operation in April 2017.|
|Suspected actor||APT10 Group (also known as Stone Panda, POTASSIUM, MenuPass and Red Apollo), a hacking group allegedly tied with the Tianjin bureau of the Chinese Ministry of State Security. Following the initial charge circulated by the US Justice Department which indicted two Chinese hackers belonging to APT10, Britain, Australia, and New Zealand publicly made formal statements indicating APT10 as acting on behalf of the Chinese government. Chinese authorities denied any involvement in supporting or directing APT10.|
|Target||The group conducted a widespread cyber espionage campaign via cloud Managed IT Service Providers (MSPs), targeting a consistent number of enterprises in North America, Europe, and South Asia.|
|Method||The large scale campaign entailed the use of several malwares including customized variants of remote access Trojans such as PlugX, Poison Ivy, ChChes and Graftor. The malwares have been spear-phished through emails to collect credentials from targeting profiles of interest and access to their networks, in particular, the Managed IT Service Providers and their clients’ shared infrastructure. Having compressed and moved the data from the MSP customer’s network back onto the MSP, the hackers exfiltrated the stolen data to infrastructures they controlled.|
|Purpose||Intellectual property theft, most likely to gain economic advantages.|
|Result||Gigabytes of intellectual property have been stolen from companies and government organizations from companies around the world.|
|Aftermath||On 21 December 2018, the US Justice Department announced an indictment against two Chinese nationals to be linked to the APT10 group. The accusations amount to conspiracy to commit computer intrusions, wire fraud and aggravated identity theft.|
|Analysed in||Scenario 09: Economic cyber espionage|
Collected by: Samuele De Tomas Colatin
- S Gallagher, “New data shows China has “taken the gloves off” in hacking attacks on US”, (1 November 2018), Ars Technica.
- PricewaterhouseCoopers LLP, BAE Systems, Report: “Operation Cloud Hopper”, (April 2017), PWC and BAE Systems.
- Council on Foreign Relations, “Cyber Operations Tracker”, CFR.
- The United States Department of Justice, “Two Chinese Hackers Associated with the Ministry of State Security Charged with Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information”, (20 December 2018), US DOJ Office of Public Affairs.
- UK Government Press Release, “UK and allies reveal global scale of Chinese cyber campaign”, (20 December 2018), UK Foreign and Commonwealth Office.
- Australian Ministry of Foreign Affairs, “Attribution of Chinese cyber-enabled commercial intellectual property theft”, (21 December 2018), Australian Department of Foreign Affairs and Trade.
- National Cyber Security Center of New Zealand, “Cyber campaign attributed to China”, (21 December 2018), The Government Communication Security Bureau.
- P Wen, “China denies 'slanderous' economic espionage charges from U.S., allies”, (21 December 2018), Reuters.
- Al Jazeera and News Agencies, “China rejects economic espionage accusations from US, allies”, (21 December 2018), Al Jazeera.
- UK National Cyber Security Centre, “Advisory: APT10 continuing to target UK organisations”, (20 December 2018), UK NCSC Alerts and Advisories.
- PricewaterhouseCoopers LLP, BAE Systems, Report: “Operation Cloud Hopper”, (April 2017), PwC and BAE Systems.
- Trend Micro Security News, “Operation Cloud Hopper: What You Need to Know”, (10 April 2017), Trend Micro Incorporated.
- FBI News Stories, “Chinese Hackers Indicted”, (20 December 2018), US Federal Bureau of Investigation.
- FBI Most Wanted List, “APT 10 GROUP”, US Federal Bureau of Investigation.