Critical infrastructure sectors in the U.S. and abroad have been targeted by an active cyber-espionage campaign previously traced by private security researchers to China, the Trump administration said Wednesday.
The Department of Homeland Security warned that actors associated with an advanced persistent threat, or APT – a label applied to sophisticated, typically state-sponsored hacking groups – have set their sights on potential victims in the U.S. information technology, energy, healthcare, communications and critical manufacturing sectors.
Known by names such as APT10 and “MenuPass,” the group was the subject of a previous alert issued by DHS in April 2017 that warned of an emerging, sophisticated hacking campaign that had compromised victims including IT service providers, putting its perpetrators in place to possible leverage that access for subsequent attacks.
Eighteen months later, DHS said in a pair of advisories that the same hacking group is conducting an ongoing campaign specifically targeting global managed service providers (MSPs), or companies that offer online cloud-based services, and that it was actively using stolen credentials to “expand unauthorized access, maintain persistence and exfiltrate data from targeted organizations.”
“Given the increasingly important role that managed services providers play in supporting business processes and operations in today’s business environment, a threat affecting one entity can have cascading effects across many sectors,” said Christopher Krebs, the National Protection and Programs Directorate undersecretary in charge of NCCIC.
“These cyber threat actors are still active and we strongly encourage our partners in government and industry to work together to defend against this threat,” he said in a statement.
The campaign is being conducted specifically for the purposes of cyber espionage and intellectual property theft, and DHS is aware of a limited number of U.S. victims, the agency said.
According to DHS, APT10 hackers can remain undetected after breaching targets including global IT networks by using legitimate credentials to masquerade their activity. Once inside, the hackers can then implant malware or use other means to exfiltrate data.
“By using compromised legitimate MSP credentials (e.g., administration, domain, user), APT actors can move bidirectionally between an MSP and its customers’ shared networks,” said one of the advisories. “Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks.”
Following publication of the initial DHS report in 2017, security researchers for companies including Accenture, FireEye, PwC and BAE Systems connected the hacking group to China. CrowdStrike, a Silicon Valley company that reached a similar conclusion, previously linked APT10 to the Chinese Ministry of State Security, a foreign intelligence agency akin to the U.S. National Security Agency.