feature image

Digital Pulse

in·no·va·tion – A creation resulting from study and/or experimentation. The act of starting something new.

dis·rup·tion – An act of delaying or interrupting continuity. An event that results in displacement or discontinuity. The act of causing disorder.

Digital change is a journey, not a destination.
It requires agility and flexibility to underpin a continually evolving business environment.

Industry Change – The ongoing economic, technological and social development of commercial business and market sectors.

Operation Cloud Hopper: How PwC helped uncover a global cyber espionage campaign

Operation Cloud Hopper: How PwC helped uncover a global cyber espionage campaignKey takeaways

  • In April 2017, it was revealed that an unprecedented but highly effective cyber espionage technique had been discovered by PwC.
  • Hacking activity, which we named Operation Cloud Hopper, was uncovered that sought to steal sensitive intellectual property and personal data from businesses in at least 14 countries.
  • Sophisticated new tactics include gaining access to systems via third-party IT service providers.

Earlier this year, PwC played a key role in uncovering cyber espionage activity that employed a methodology never seen before. It was a campaign with wide-ranging consequences that will have a knock-on effect for cyber security policies and practices for the IT industry going forward.

Dubbed Operation Cloud Hopper, it’s a tale that kicks off when, as part of ongoing research, suspicious activity was uncovered on computer networks. As a result, a team of threat intelligence experts was tasked with uncovering the extent of the compromise and looking at who might be involved.

The compromise assessment

The researchers set about looking for evidence of unauthorised entry for those involved – i.e. someone having gained restricted access to private networks. To do this, the environment is scoped out by running a fine-tooth comb over every computer that connects to the network.

In this case, a wealth of forensic artefacts were revealed – indicators of compromise – essentially, proof that something was indeed amiss.

These findings triggered an incident response protocol: containing the threat. This is a delicate matter; it’s not just about barging in and ejecting uninvited guests.

Against adversaries of such sophistication you must strive, firstly, to simply observe, and for as long as possible, gathering any information relevant to identifying the actors and then circumventing their future attempts at access.

Look, listen and tread carefully

Instead of a direct confrontation, PwC worked with others in the community to contain and isolate the interlopers, making sure the compromise was now secured by strategically tightening access privileges.

Meanwhile, the tools and processes in use by the threat actors, their identifying behaviours and other observations were collated, synthesised and triangulated to reveal identities and the characteristics, methodologies and overall sophistication of the operation.

The malware had been seen before and was recognised for being in common use by a China-based threat actor, the infamous APT10, already well known by the security community.

To further corroborate the attackers’ identities, historical analysis of the hacking activity revealed a highly regimented daily schedule; one that aligned to a UTC+8 workday (including two-hour lunch breaks) – further suggesting a China-based threat actor.

Australia’s response

PwC’s UK cyber security team then called in their Australian colleagues to assist with round-the-clock monitoring.

And so, we watched, waited and began erecting the virtual infrastructure that would exclude APT10 from the system for good.

We soon realised, however, that the intruders hadn’t ‘come in the front door’ (so to speak), as usually occurs, and it was hard to make out any discernable entry point.

The riddle resolved only once we observed their attempts to exfiltrate data by firstly transferring it through the organisation’s managed IT services provider (MSP). We realised APT10 were focused in the direction of upstream targets, namely the supply chain – a much more powerful position from a hacker’s perspective.

After all, why invest so much effort into compromising organisations piecemeal when you can target a few organisations that are connected to not only your target organisation, but potentially many others as well?

A no-brainer from their perspective, but a real headache for everyone else.

Collaborating with the community

PwC notified the threat intelligence community and, alongside BAE Systems, which was also undertaking such investigatory work¹, attempted to understand the scope and sophistication of the hacking operation at hand. We then worked with the UK government’s National Cyber Security Centre to notify MSPs and known victims.

Forging real collaborations with other members of the cyber security community, both in the public and private sector, was invaluable in gaining advantage over the threat.

Of course, these well staffed, well-funded hacking teams have a reputation for tenacity. Re-entry, therefore, is almost immediately attempted so open-ended monitoring of environments going forward, therefore, is critical.

Why is this a big deal?

While hacking goes on all the time, this incident was unique. The implications could be wide-reaching, with the potential to affect the business processes of organisations around the world.

What we’re looking at here is targeting of the supply chain, the third party provider.

Now, it’s not just your own security systems, processes and policies that need to be well thought out and implemented effectively, but also those of your managed IT services provider (MSP). The difficulty, of course, is how to ensure they’re being as diligent as you are.

On the one hand, prudence would encourage us to ensure all contracts and service level agreements encapsulate a minimum acceptable standard for security policy.

On the other, because we can never be truly certain about the state of third-party providers, from now on it would be wise to assume that there is – or will be in future – a breach; but, we can pre-empt the damage, for example, by limiting the access privileges of MSPs operating on your systems and segmenting your network such that valuable information can’t be accessed directly.

Talk to IT service providers

Ultimately, however, the real necessity now is to initiate a discussion with your MSP about the situation as it stands: that there are highly sophisticated hacking teams actively targeting and successfully penetrating third parties in order to gain privileged access to their client’s valuable data.

It’s recommended you show the PwC Operation Cloud Hopper report to your MSP as they may remain as yet unaware.

What the findings mean to you

Further to discussing the matter as openly and honestly as you can with your IT services provider, it’s important to remain alert and thoroughly monitor your systems even for subtle anomalies, as professional hackers are masters of blending in with their surroundings.

If you don’t have the expertise in house, we recommend engaging the services of a dedicated IT security company that can investigate the situation correctly.

Developing an effective and comprehensive incident response plan is also crucial.

Where lies the liability?

While it might be tempting to apportion all responsibility to your MSP, in reality that’s not workable.

You can stipulate via contract that best-practice security hygiene be applied, but if your MSP resides in another country, there may be little way to ensure compliance. There are tools and services available that allow a client to monitor the activities of their MSP, and deploying these as a matter of course needs to be encouraged.

Ultimately, what’s needed is to manage the managers and, if you’re outsourcing your IT, chances are you’ll need to outsource this oversight function, too. Dedicated security monitoring services act as an expert security overseer of your networks and the activity occurring on them.

For most companies, this option would afford the best and most effective long-term solution and we expect such arrangements to become increasingly common as awareness of supply-chain hacking spreads.

Keeping security simple

Perhaps the most powerful message in this story is that regardless of how resilient your infrastructure,  the weakest link remains the humans in charge.

Typically, a breach will begin with a user receiving a malicious email and then choosing to open an attachment or click a link in it. In some cases, user computers can be infected by simply visiting their favourite website, or opening a document and not having an up to date system.

Even in this age of growing digital awareness, clearly not everyone understands best security practice. Education, even at this basic level, could be an inexpensive means to achieve a sizeable reduction in the frequency of such events in future.

The goal is to protect those easy entry points utilised to date, buy ourselves some time, and start preparing for the next attempt in the cat-and-mouse game of cyber espionage.


For full details of Operation Cloud Hopper, click here to access the PwC and BAE Systems report.

With thanks to Robert Martin, Partner, from PwC Australia’s Cyber Security and Forensics team.

1  http://baesystemsai.blogspot.com.au/2017/04/apt10-operation-cloud-hopper_3.html

Leave a Comment

Share This