• The US DHS has issued out an alert about the ongoing campaign that has been targeting global cloud service providers.
  • The group has been using the RedLeaves malware to target global organizations.

The US Department of Homeland Security (DHS) has issued an alert, warning about a new ongoing campaign being carried out by an advanced threat persistent (APT) group. The campaign has been targeting cloud service providers across the globe.

“The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft,” DHS said in a statement.

Although the DHS did not mention the name of the threat group conducting the attacks, the agency’s statement mentioned that a previous alert contained more information about the current, ongoing campaign. The previous alert warned about a threat actor using the PlugX and the RedLeaves malware variants to target organizations across multiple sectors.

Both RedLeaves and PlugX are considered to be custom malware created and delivered by the Chinese threat group APT10. In other words, APT10 is likely behind the campaign targeting global cloud service providers.

In a recent joint report by PwC and BAE Systems, researchers said that between 2014 and 2016, APT10 used the PlugX malware extensively. However, since late 2016, the group has switched to using the RedLeaves and the ChChes malware in campaigns. The researchers dubbed APT10’s recent campaign “Operation Cloud Hopper”, adding that the threat actors also targeted Japanese organizations in a separate yet simultaneous campaign.

“APT10 is known to have exfiltrated a high volume of data from multiple victims, exploiting compromised MSP networks, and those of their customers, to stealthily move

this data around the world,” PwC and BAE Systems researchers said in their report. “Our analysis of the compile times of malware binaries, the registration times of domains attributed to APT10, and the majority of its intrusion activity indicate a pattern of work in line with China Standard Time (UTC+8).”

According to the researchers, since APT10’s activities were first discovered in 2013, the threat actor has been continually evolving. Over the years, the group has shifted not onyl its target base but also evolved from using common malware to more customized malicious tools.

“This campaign serves to highlight the importance of organizations having a comprehensive view of their threat profile, including that of their supply chains,” the researchers said. “More broadly, it should also encourage organisations to fully assess the risk posed by their third-party relationships, and prompt them to take appropriate steps to assure and manage these.”

Cyware Publisher