CISA Official Offers Details into China-Led Attacks of U.S. Managed Service Providers

The Cybersecurity and Infrastructure Security Agency’s cyber threat analysis chief shared fresh details this week around an ongoing campaign of cyberattacks linked to the Chinese government, specifically targeting managed service providers. 

“The core issue with the compromise of managed service providers is that it really gives the attacker a force-multiplier effect,” CISA’s Rex Booth said at a summit hosted by FCW Thursday. 

Earlier this year, Homeland Security conducted a series of webinars to educate the American public about the rising attacks that take advantage of companies’ possible internal vulnerabilities. Since 2006, the Homeland Security Department has tracked a threat group, commonly known in the security industry as APT10, which Booth noted is sponsored by the Ministry of State Security in China. Between 2014 to 2018, the agency noticed a strategic shift in the threat group's tactics: The hackers began specifically targeting America’s managed services providers, or MSPs. Those providers remotely manage customers’ information technology infrastructure or other tech-based systems.

“That in itself wasn’t necessarily alarming,” Booth said. “That wasn’t the trigger, obviously—that’s a period of four years—and we are not that slow.” But by the end of 2018, the agency noticed a severe uptick in the attacks, and in its mission to “protect the internet,” Booth said CISA deemed it necessary to notify the public. In the past, most attacks would be what’s known as “one to one events,” that is, one company would face one attacker, which would be less intense to tackle. But due to rapidly progressing technological advancements, MSPs and today’s threat-scape are much more complex. 

“Now, when you are looking at the opportunity for the attackers to tackle these MSPs, it’s a much more difficult thing to scope out and scale,” Booth said. “You don’t necessarily know who their intended target is because at any provider there might be dozens and dozens of potential targets.”

Further, Booth said CISA has come to recognize that both China’s five-year plan and its set of goals to accomplish by 2025 indicate that targeting the entities that MSPs align with the nation’s articulated strategic objectives and advantages. It’s clear, Booth noted, that the adversary is homing in on harming a long list of MSPs. 

“So it makes the responders’ job a little bit more difficult, and frankly, it creates a much wider swath of potential damage—not only for the intended victims, or the intended targets from an attacker perspective, but also for collateral damage as well,” he said. “Because all the folks, all the organizations that were using those MSPs now have to question the security of their data, resources, and systems.”

In the months following the webinars, Booth noted it’s been difficult to assess the exposure’s impact—“it varies,” he said. Within the security analytical community, there’s disagreement between what APT10’s subsequent activity has been like. One of the more prominent vendors that tracks the threat group believes the malicious actors have since shifted away from MSP compromises and are now focusing on other tactics and targets. But other vendors in the private sector suggest that APT10 is continuing to attack MSPs. Still, Booth noted that threat analysis is “an art, not a science.” There is not ever a sort of perfect visibility into bad actors’ efforts. 

“But this is something that we certainly should continue to expect—I don’t think it’s going to change,” Booth said. “One attacker might change what they are focused on from any given point. But as a whole, as an ecosystem, this is a kind of vulnerability that we have, and that we really need to address.”