‘Five Eyes’ Countries Attribute APT10 Attacks to Chinese Intelligence Service
Following the indictment of two alleged members of a Chinese cyberespionage group by the U.S. Department of Justice Dec. 20, the governments of Canada, Australia, New Zealand and the U.K. have publicly attributed the group’s activities to China’s Ministry of State Security.
This is the second time when the countries that make up the so-called Five Eyes intelligence-sharing alliance have jointly attributed a cyberattack to a particular nation. In February, the same countries blamed Russia’s military intelligence service, the GRU, for the NotPetya ransomware outbreak.
The Chinese APT10 group has been active since at least 2006 and is also known in the security industry as Red Apollo, Stone Panda and Potassium. Its main activity is the theft of intellectual property and, over the years, it has targeted organizations from many industries, including aviation, satellite and maritime technology, industrial factory automation, automotive supplies, laboratory instruments, banking and finance, telecommunications and consumer electronics, computer processor technology, information technology services, packaging, consulting, medical equipment, health care, biotechnology, pharmaceutical manufacturing, mining and oil and gas exploration.
The attribution announcements by the Five Eyes countries focused on an APT10 attack campaign that started in 2016 and targeted managed service providers (MSPs), technology companies that manage the IT services and infrastructure for medium to large businesses. This particular attack campaign is known in the security industry as Operation Cloud Hopper and was documented last year by PwC and BAE Systems.
Reuters reported Dec. 20, citing anonymous sources, that Hewlett Packard Enterprise (HPE) and IBM were among the companies that were hit by APT10 in operation Cloud Hopper.
“MSPs are an attractive, high-value target for threat actors,” Canada’s Communications Security Establishment (CSE) said in a press release. “This is because MSPs typically have extensive access to multiple client networks in order to perform their job of IT specialist. The compromise of one MSP can affect multiple clients globally and provides a threat actor with access to multiple client systems and large amounts of sensitive data, leading to loss of proprietary information, disruption to business operations, financial loss, and potential harm to the affected organization’s reputation.”
“The NCSC [National Cyber Security Centre] assesses that it is highly likely that APT 10 has an enduring relationship with the Chinese Ministry of State Security, and operates to meet Chinese State requirements,” the U.K.’s Foreign Office and Foreign Secretary said in a press release. “Given the high confidence assessment and the broader context, the UK government has made the judgement that the Chinese Ministry of State Security was responsible.”
The government of Japan has also issued a statement, saying that it has observed continuous attacks from APT10 against private companies and academic institutions in the country.
The 2017 report on Cloud Hopper released by PwC and BAE Systems mentioned that APT10 targeted a number of Japanese organizations and masqueraded as Japenese government entities to gain access.
Japan “strongly supports the determination of the United Kingdom, the United States and other countries to uphold the rules-based international order in cyberspace,” the Japanese Ministry of Foreign Affairs said.
Chinese Foreign Ministry Spokesperson Hua Chunying called the accusations made against China in this matter “erroneous” and “unwarranted” and accused the U.S. of fabricating the story “out of nothing.”
“The Chinese government has never participated in or supported others in stealing commercial secrets in any form,” she said during a press conference.
