Cloud Hopper

by Ray Hillen 0 Comments

What is it?

Cloud Hopper is an ongoing cyber espionage campaign originally discovered back in 2016 with activities reaching as far back as 2014.  Executed by a Chinese-based threat actor group referred to as APT10, the campaign specifically targets Managed Service Providers (MSPs) leveraging social engineering to take over accounts.  More precisely, the bad actors use malware, utilities and other living-off-the-land tactics, techniques and procedures (TTPS), including reconnaissance, lateral movement, and command and control (C2) with the objective of traversing MSP security boundaries to acquire additional victims.

Why it matters now

The Commodities Futures Trading Commission (CFTC) released a Cyber Threat Alert on January 3 requesting registered Commodity Pool Operators, Introducing Brokers, Commodity Trading Advisors and/or Retail Foreign Exchange Dealers to report on the following items by January 10. 

  • Provide additional details indicating if their cloud service providers were affected by the attack.
  • A summary of steps firms have taken to protect themselves in response to the attack.
  • How market participants whose data may have been affected have been notified of the breach.
  • As of January 9, the CFTC updated this January 10 requirement, specifying “You are only required to submit an email confirmation if your cloud service providers have been affected by this attack.”

The CFTC letter also requested firms provide information regarding any communications with affected parties about the attack, including cloud service providers, customers, clients, counterparties, business partners or industry-related parties by January 20.  As of January 9, the CFTC updated this January 20 requirement, specifying only registered Introducing Brokers or Retail Foreign Exchange Dealers are obligated to report.

Agio’s response

As a cloud service provider, Agio has confirmed we have not experienced any such events related to this campaign.  Our Managed Detection & Response (MDR) team is actively hunting for APT10 activity both in our own environment as well as our MDR-client environments.

What should you be asking your cloud service provider and/or MSP?

  • Have any of your organization’s systems or services been impacted as a result of the APT10 Cloud Hopper Campaign?
  • If yes, please list what services have been impacted and what controls you have implemented to date to remediate the impact. Please include Lessons Learned from your Incident Response Report (where applicable).
  • What cybersecurity controls are in place to safeguard against this campaign?
  • Are you monitoring your environment for the APT10 known Indicators of Compromise (IOCs)?

Questions?

If you have any questions on how we may be able to help you or if you need a list of the APT10 known Indicators of Compromise (IOCs), contact us.