Aussie enterprises warned of Chinese hacks via outsourcers

The Australian Cyber Security Centre (ACSC) is warning big business about a global hacking campaign thought to emanate from China that targets enterprises through their outsourcers.

Known as APT10 or Stone Panda, the hacking group has sought to steal information and gain access to private and public organisations since the middle of 2016, the ACSC said.

A joint report by security vendor BAE Systems and management consultancy PwC said the attackers were targeting IT outsourcing suppliers as a stepping stone to gain access to their true targets, under what the firms have dubbed Operation Cloud Hopper.

"Managed service providers are a particularly sensitive area of business; these companies both hold large volumes of customer data but also may have VPN, RDP, and other connections into networks they manage," BAE Systems wrote.

"As sensitive organisations such as government and Defence have improved their perimeter security it has forced APT groups to look elsewhere for infiltration routes. The ‘supply-chain’ is one of these vectors, and we continue to see an increasing number of actors finding success in exploiting this route."

The attackers are using both common and custom malware, like the PlugX espionage tool and RedLeaves backdoor, to carry out their attacks, the firms said.

Alongside targeting managed service providers, the group has also used the ChChes malware against Japanese scientists and pharmaceutical companies, the report stated.

The ACSC is asking enterprises to encourage their outsourcers to work with the Australian Signals Directorate and CERT Australia to help keep businesses safe.

The cyber security centre said it had no evidence that the general public or small to medium sized enterprises are being targeted.

It said the compromises identified to date "likely represent only a small proportion of the activity". It did not reveal how many compromises had been identified, nor which organisations were affected.

The UK's National Cyber Security Centre has given the same warning to that country's enterprises.

The hacking group - which also goes under the name menuPass - has been active since 2009. A  2012 analysis by security vendor FireEye's analysis pointed to the group originating from China [pdf].