Over recent weeks, your organisation may have become aware of the name “APT10”, either through journalists’ efforts, or perhaps from one of your customers seeking to understand how well prepared your organisation is.
If you haven’t yet come across the term, now would be a good time to take note. APT10 is a well-organised cyber attack network believed to be based in China, and very focused on stealing trade secrets and confidential data. Awareness of the sheer scale and complexity of APT10’s capabilities has only come about due to the co-ordinate work of the UK’s National Cyber Security Centre (NCSC, formerly CESG), the accountancy firm PWC and BAE Systems.
Thought to have commenced their campaigns in 2014, activity notably increased towards the end of 2016 and very much active at the moment, “Operation Cloud Hopper”, also known as “Stone Panda”, focuses on compromising Managed Service Providers (MSP), which then provides the hackers with a simple stepping stone to the MSP’s customers and their valuable data via internal networks. Engineering organisations, or those with “trade secrets” are also a target. USA, UK, Europe and Japan are noted as being the most likely destinations for the hackers’ attentions.
The hackers maintain a large database of normal-looking domain names and websites to try and trick unwary system administrators to trigger embedded malware.
So what can organisations do to protect themselves?
a. If you use a MSP to deliver any part of their service, you should seek their level of understanding of APT10, and how their technical controls and staff awareness of this issue are appropriate.
b. All organisations should communicate to all staff (not just sysadmins) the risks of malware and spear-phishing, to identify fake or spoofed emails or websites before the embedded malware has an opportunity to gain a foothold.
c. Review your security architecture, the resilience of your network (port hardening, device patching etc.), real-time activity monitoring and incident response capability to ensure early detection and damage limitation.
d. Seek the advise of information security professionals, and consider joining one of the specialist forums or groups monitoring APT10 closely. NCSC provide CISP.
BAE Systems, who have worked extensively on the analysis of APT10, has published additional information.
For those of you with an Information Security Management System (and ISO27001 certification), and especially if you’re a MSP, we’d recommend a prompt review of the effectiveness of your implementation of these key controls from Annex A:
A6.1.4 – Contact with special interest groups
A7.2.2 – Information security education, awareness and training
A12.2.1 – Protection from malware
A12.4.1 – Event logging
A12.6.1 – Management of technical vulnerabilities
A13.1 – Network security management (all controls)
A14.2 – Security in development and support processes (all controls)
A15.1 – Information security in supplier relationships (all controls)
A16.1 – Management of information security incidents (2/4/5/7)
Half of the challenge with information security is understanding what needs to be protected against. Now you understand the risk, the other half is ensuring your controls are appropriate, properly implemented and effective. That’s an area where InfoSaaS Assure continues to help many organisations around the world.
Forewarned is forearmed.