Security News Chinese Group Is Hacking Cloud Providers to Reach Into Secure Enterprise Networks


Thread author
Staff member
Malware Hunter
Jul 22, 2014
A cyber-espionage group that first surfaced in 2009 is using a novel tactic into hacking its targets by first breaching one of its cloud service providers, and then reaching inside the company's secure business network via the cloud service's approved communications channels.

The tactics of this group are new and haven't been seen before. Until now, cyber-espionage groups, regardless of affiliation, used cloud providers mainly to store malware or as relay points for stolen data.

This group's decision to hack the cloud service providers comes as these services are becoming more ubiquitous in enterprise networks, and almost all companies use one or more cloud services to handle some type of activity, may it be human resource management, inventory activities, email, or file sharing and hosting.

Hackers use cloud services to hide malicious activity
This particular group of Chinese hackers is known in the infosec community under different names, such as APT10 (FireEye), Red Apollo (PwC), CVNX (BAE Systems), Stone Panda (CrowdStrike), POTASSIUM (Microsoft), and MenuPass (Trend Micro).

Until recently, its activity involved the classic method of using spear-phishing attacks aimed at individuals inside corporate or government networks.

As of late 2016, BAE and PwC researchers both noted a change in the targeting of APT10. Instead of going after employees working in secure and hardened enterprise networks, where's there's a chance to get caught, attackers started targeting individuals at cloud service providers, which don't always feature the same level of security protections.

Once APT10 operators get a foothold inside these companies, they take over their systems and use the access the cloud service has to the enterprise networks to infiltrate and hack the cloud provider's clients.

All infiltration and exfiltration operations are handled via the cloud service's regular communications channels, which are usually whitelisted inside the clients' networks.

Hackers breached companies all over the globe