How Has Apt 10 Menupass Exploit Managed Service Providers

A long-running functioning carried out by Cathay-linked hackers, and tracked every bit Deject Hopper, has targeted clients of major companies, including IBM, HPE, Tata CS, Fujitsu, and NTT.

Hackers broke into the internal networks on major companies, such as HPE and IBM, and stole corporate data and trade secrets. Then the attackers used the stolen information to target into customer systems.

The listing of victims is long and includes tech giants like HPE, IBM, DXC, Fujitsu, and Tata.

"Teams of hackers connected to the Chinese Ministry of State Security had penetrated HPE'due south cloud computing service and used it equally a launchpad to attack customers, plundering reams of corporate and government secrets for years in what U.Southward. prosecutors say was an try to boost Chinese economic interests." reads a report published by the Reuters bureau.

"The hacking campaign, known as " Cloud Hopper ," was the bailiwick of a U.South. indictment in Dec that defendant ii Chinese nationals of identity theft and fraud. Prosecutors described an elaborate operation that victimized multiple Western companies merely stopped curt of naming them. A Reuters study at the time identified two: Hewlett Packard Enterprise and IBM."

The study attributed the cyberespionage entrada to the China-linked APT10 (aka Menupass, and Stone Panda), the same grouping recently accused of hacking telco operators worldwide. The group has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking entrada, tracked as Operation Deject Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.

An initial report revealed that Deject Hopper hackers compromised the internal networks at HPE and IBM, so targeted customer servers that were managed by the IT giants, or connected in some style to their infrastructure.

Now, the Reuters revealed that at least some other six companies were hacked as office of the same campaign conducted by the APT10 threat actors. The breached companies are Fujitsu, Tata Consultancy Services, Dimension Data, NTT, and Computer Sciences Corporation.

Even is HPE has been hacked multiple times since 2010, almost of the hack occurred betwixt 2015 and 2017.

APT10 hackers also targeted the customers of the IT companies stealing plans, blueprints, personal information, and other information.

"APT10 often attacked a service provider'due south system past "spear-phishing" – sending company employees emails designed to play a joke on them into revealing their passwords or installing malware. Once through the door, the hackers moved through the visitor's systems searching for customer information and, well-nigh importantly, the "jump servers" – computers on the network which acted as a bridge to client systems." continues the report.

"After the attackers "hopped" from a service provider's network into a client system, their behavior varied, which suggests the attacks were conducted by multiple teams with unlike skill levels and tasks, say those aware of the operation. Some intruders resembled "drunken burglars," said one source, getting lost in the labyrinth of corporate systems and appearing to catch files at random."

Co-ordinate to the Reuters, the hackers had a total control over the HPE corporate network, they besides left letters taunting system administrators.

One of the hacking tool used past the group in the campaign contained the message 'FUCK ANY AV' referencing the fact that victims' protected their infrastructure with antivirus software. In one case, threat actors used the name nsa.mefound.com to mock US intelligence.

The state of affairs is disconcerting and unique certainly is that Cloud Hopper campaign is still ongoing and hackers are adopting new techniques to remain under the radar for a long.

Pierluigi Paganini

( SecurityAffairs – Cloud Hopper, hacking)