APT10 … Are You Prepared?
19th October 2019
Back in 2018, you and your organisation may have been aware of the name “APT10”, either through journalists’ efforts, or perhaps from one of your customers seeking to understand how well prepared your organisation is.
If you haven’t come across the term until now, then this is a good time to take note. APT10 is a well-organised cyber attack network believed to be based in China, and very focused on stealing trade secrets and confidential data.
Awareness of the sheer scale and complexity of APT10’s capabilities only came about due to the coordinate work of the UK’s National Cyber Security Centre (NCSC, formerly CESG), the accountancy firm PWC and BAE Systems.
Thought to have commenced their campaigns in 2014, activity notably increased towards the end of 2016, and was very much active into 2018. “Operation Cloud Hopper”, also known as “Stone Panda”, focused on compromising Managed Service Providers (MSP), which then provides the hackers with a simple stepping stone to the MSP’s customers and their valuable data via internal networks.
Engineering organisations, or those with “trade secrets” are also a target. USA, UK, Europe and Japan are noted as being the most likely destinations for the hackers’ attentions.
The hackers maintained a large database of normal-looking domain names and websites to try and trick unwary system administrators to trigger embedded malware.
So what can organisations do to protect themselves?
A. If you use an MSP to deliver any part of your service, you should seek their level of understanding of APT10, and how their technical controls and staff awareness of this issue are appropriate.
B. All organisations should communicate to all staff (not just sysadmins) the risks of malware and spear-phishing. This will identify fake or spoofed emails or websites before the embedded malware has an opportunity to gain a foothold.
C. Review your security architecture, the resilience of your network (port hardening, device patching etc.), real-time activity monitoring, and incident response capability to ensure early detection and damage limitation.
D. Seek the advice of information security professionals, and consider joining one of the specialist forums or groups monitoring APT10 closely. NCSC provide CISP.
BAE Systems, who have worked extensively on the analysis of APT10, has published additional information.
For those of you with an Information Security Management System (and ISO27001 certification), and especially if you’re an MSP, we’d recommend a prompt review of the effectiveness of your implementation of these key controls from Annex A:
A6.1.4 – Contact with special interest groups
A7.2.2 – Information security education, awareness and training
A12.2.1 – Protection from malware
A12.4.1 – Event logging
A12.6.1 – Management of technical vulnerabilities
A13.1 – Network security management (all controls)
A14.2 – Security in development and support processes (all controls)
A15.1 – Information security in supplier relationships (all controls)
A16.1 – Management of information security incidents (2/4/5/7)
Half of the challenge with information security is understanding what needs to be protected against. Now you understand the risk, the other half is ensuring your controls are appropriate, properly implemented and effective.
That’s an area where InfoSaaS continues to help many organisations around the world.
Forewarned is forearmed.