A Chinese hacking and cybercrime group nicknamed “Red Apollo” last year launched one of the largest ever sustained global cyber espionage campaigns.
Rather than attacking companies directly, it targeted cloud service providers, attempting to use their networks to spread spying tools to a wide number of companies. It was the latest warning sign of the risks posed by so-called supply chain attacks, according to PwC, the professional services company, which tracked the campaign – according to the FT.
Known as Operation Cloud Hopper, the attack targeted a small number of managed IT service providers, giving it the potential to spread malware to all the clients using these outsourcing companies to run their computer networks. Companies in 15 countries, including the UK, France, Switzerland, US, Canada, Australia and Japan were targeted.
This indirect approach demonstrates a new level of maturity in cyber espionage, and is increasingly common. Symantec, the cyber security company, says in a recent report it saw a 200% increase in supply chain attacks in 2017 compared with the previous year.
National governments are increasingly concerned about the trend. However, hacking headlines recently have been dominated by geopolitical concerns, such as growing fears among western powers at Russia’s increasingly aggressive behaviour in cyber space. One of the behind-the-scenes ways of combating these threats is increasing supply chain security; UK security officials have made this one of their priorities for the rest of 2018.
“If we look at the last year or two of cyber attacks there have been a lot of dramatic attacks,” says Ciaran Martin, chief executive of the UK’s National Cyber Security Centre (NCSC), part of GCHQ. “But one of the slow burning, strategic issues is the integrity of the supply chain and how corporations and government departments manage that risk. I think collectively we have been slower than we should have been to realise the importance of that.”
Cyber security experts say that while Cloud Hopper did not cause serious damage to those compromised, June 2017’s NotPetya attack, which the UK and the US have attributed to the Russian military, was an example of a supply chain attack that did have costly and damaging implications.
Although aimed primarily at companies in Ukraine, which has been in conflict with Russia-backed separatists since 2015, the ransomware attack spread far beyond its original target and is estimated to have cost businesses around the world, including the shipping group Maersk and UK-based consumer goods company Reckitt Benckiser, more than $1.2bn in total.
Richard Horne, a cyber security partner at PwC, explains how Russian hackers breached a software provider in Ukraine called MeDoc and inserted a “back door” into its next software update. “Once that was inserted then the attackers could download their malicious code — a brilliant piece of code — which then spread within about 60 minutes.”
The primary worry for cyber security officials is that state-backed hackers and criminals could penetrate the systems of critical infrastructure organisations such as banks, energy companies and government departments.
“From the point of view of the attacker — whether it’s defence, energy or basic commerce — if you can get in through the supply chain, it’s just as good as being in the main networks,” says Martin of the NCSC.