The Cloud Hopper cyberattacks that targeted major MSPs and cloud service providers (CSPs) worldwide were larger than previously disclosed, according to a Wall Street Journal investigation published this week.
Cyber investigators first spotted Cloud Hopper activities in 2016. By 2018, roughly 14 unnamed companies -- believed to be MSPs and CSPs, for the most part -- were thought to be targets. APT10, a hacker group with alleged ties to China, apparently drove the attacks -- which "jumped" from the cloud providers into end-customer networks.
A closer look by The Wall Street Journal now suggests that some companies -- such as CGI Group, HP Enterprise, IBM and Tieto Oyj -- were hit harder by the attacks than originally thought.
According to the report:
"The Journal found that Hewlett Packard Enterprise Co. was so overrun that the cloud company didn’t see the hackers re-enter their clients’ networks, even as the company gave customers the all-clear.
Inside the clouds, the hackers, known as APT10 to Western officials and researchers, had access to a vast constellation of clients. The Journal’s investigation identified hundreds of firms that had relationships with breached cloud providers, including Rio Tinto, Philips, American Airlines Group Inc., Deutsche Bank AG , Allianz SE and GlaxoSmithKline PLC."
Among the additional Journal findings:
- Investigators allege many of the major cloud companies tried to stonewall clients about what was happening inside their networks.
- The Department of Homeland Security is striving to revise federal contracts in a way to force CSPs to comply with future probes.
- The hack illustrates a weakness at the heart of global business -- namely CSPs and MSPs that can become doorways into end-customer systems.
- It’s an open question whether hackers remain inside companies’ networks today, The Journal said.
In response to the Journal report, HPE said the company worked diligently and professionally with customers to document and mitigate the attacks. IBM, meanwhile, says it cooperated with government agencies and customers that expressed concerns.
FBI Ransomware Warnings to MSPs
The FBI and U.S. Department of Homeland Security have repeatedly warned MSPs and their technology platform providers about such attacks.
Although MSPs and their software providers have generally raised their defenses in 2019, attacks have continued and some corners of the MSP industry now face a “crisis of credibility, ChannelE2E and MSSP Alert believe.
Still, more signs of progress are emerging. Thousands of MSPs are activating two-factor authentication as a means to stop hackers from entering systems. In many cases, software providers are activating 2FA as a default setting. And increasingly, the 2FA setting is mandatory.
Still, 2FA isn’t a cure-all for ransomware attack mitigation.
MSPs Fighting Ransomware: Basic First Steps
To get ahead of the ransomware threat, MSSP Alert and ChannelE2E have recommended that readers:
- Sign up immediately for U.S. Department of Homeland Security Alerts, which are issued by the Cybersecurity and Infrastructure Security Agency. Some of the alerts specifically mention MSPs, CSPs, telcos and other types of service providers.
- Study the NIST Cybersecurity Framework to understand how to mitigate risk within your own business before moving on to mitigate risk across your customer base.
- Explore cybersecurity awareness training for your business and your end-customers to drive down cyberattack hit rates.
- Connect the dots between your cybersecurity and data protection vendors. Understand how their offerings can be integrated and aligned to (A) prevent attacks, (B) mitigate attacks and (C) recover data if an attack circumvents your cyber defenses.
- Continue to attend channel-related conferences, but extend to attend major cybersecurity events — particularly RSA Conference, Black Hat and Amazon AWS re:Inforce. (PS: Also, keep your eyes open for PerchyCon 2020 — more details soon.)