British companies targeted in attacks traced back to China

Attackers work in teams around the clock to target British companies

British companies are being targeted by hackers linked to China's government, working around the clock in shifts, and targeting IT services companies as a springboard for infiltrating their clients.

The warning comes as a result of joint research by consultants PwC UK and BAE Systems' IT security arm, which also drew on expertise from the UK National Cyber Security Centre's (NCSC) Certified Incident Response (CIR) scheme.

The report suggests that the attacks have been taking place since at least 2014, with more activity than average in the past year.

The researchers say that the attackers are "widely known within the security community as ‘APT10'" and that the ‘Cloud Hopper' campaign the study identified was simultaneously used in targeted attacks against Japanese companies as well.

The report states that APT10 is widely recognised as a threat that emanates from China.

This is by no means the first campaign attributed to APT10, a group that has existed since at least 2009 and has been known to switch-its approach when needed. In 2013, following FireEye's disclosure of how the Poison Ivy malware family works, the group re-tooled before recommencing activities.

This is no one-person attack, either. APT10 is thought to have teams of people working in shifts on their own distinct areas of responsibility and expertise.

"As a result of our analysis of APT10's activities, we believe that it almost certainly benefits from significant staffing and logistical resources, which have increased over the last three years, with a significant step-change in 2016," the report claims.

"Due to the scale of the threat actor's operations throughout 2016 and 2017, we similarly assess it currently comprises multiple teams, each responsible for a different section of the day-to-day operations, namely domain registration, infrastructure management, malware development, target operations, and analysis."

The true goal of targeting IT service providers, according to the researchers, is to gain entry to the "unfettered and direct access" they should have to clients' networks, as well as the swathes of data they might also have stored.

The malware used by APT10 is classified in two different ways: tactical and sustained. The former (EvilGrab, ChChes, RedLeaves) is designed to be disposable and is delivered via a spear phishing attack.

Once successfully into a target system, the ‘sustained' malware (Poison Ivy, PlugX, Quasar) enables long-term remote access and the ability to carry out higher-level tasks.

Organisations that have fallen victim to APT10 in this attack have already been warned by the two companies and the NCSC, according to the BBC.

Computing's IT Leaders Forum 2017 is coming on 24 May 2017.

The theme this year is "Going Digital: Why your most difficult customer is your best friend".

Attendence is free, but strictly limited to IT Leaders. To find out more and to apply for your place, check out the IT Leaders Forum website.