Operation Cloud Hopper, uncovered by researchers at BAE Systems and PwC, was a cyberespionage campaign by APT10 (also known as Red Apollo and the menuPass Team) that targeted IT managed service providers (MSPs) in order to steal their clients' corporate data.
Attackers accessed this novel attack vector using stolen administrative credentials, obtained through spear-phishing emails and malicious documents sent to the MSPs.
Once the threat group successfully compromised the MSP, they were able to pivot onto their target's network through the shared network infrastructure between the MSP and their clients. Data was exfiltrated through the MSP itself, which made detecting the APT's movements more difficult, as this network traffic appeared to be legitimate.
This campaign used the custom RedLeaves RAT, which could enumerate a victim's system and execute commands issued by the APT's command and control server.
Victims were chosen from a wide pool of industries, such as retailers and technology companies, and came from all over the globe.
APT10, first seen in 2009, is suspected to be based in China and is known for targeting defense and government organizations in the United States.
A US-CERT Alert on this campaign is available on their website.
ThreatSTOP IP Firewall Service and DNS Firewall Service protect against APT10's latest campaign when TSCritical targets are enabled.
For more information or to get started with a free trial, visit us here.