MSP Networks Actively Targeted by Nation-State APTs, US Government Warns

The US Department of Homeland Security Computer Emergency Readiness Team has just issued a technical alert earlier this week, warning that US companies operating in critical sectors are at risk, as cyberespionage attempts from foreign governments were detected. Key targets include Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. From as early as May 2016, CERT says extensive Advanced Persistent Threat tactics, techniques, and procedures were deployed to infiltrate MSPs (managed service providers) customer networks to steal confidential information and interfere with government and business operations.

The criminals deploy a variety of “living off the land” techniques: legitimate credentials such as administration, domain and user, established off-the-shelf applications and pre-installed system tools such as command line scripts present in MSP customer networks. “Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks,” reads the government alert.

The technical alert couldn’t have come at a more appropriate time, as foreign operatives have already interfered at hardware level to attack US infrastructures. Chinese spies have allegedly infiltrated some 30 US-based companies, including Amazon, Microsoft and Apple, and spied on them through tiny microchips embedded in the Supermicro servers’ motherboards used by a large number of businesses, according to various government and business sources cited by Bloomberg. Government contractors and a high-level bank fell victim to the same malicious activity in their networks. On top of it all, Apple had planned on purchasing as many as 30,000 more servers to use in its infrastructure.

Although Amazon and Microsoft deny the supply chain attack story, Bloomberg states that Amazon is the one that informed US authorities about the microchips. “Investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines,” which turned it into a critical issue as similar servers were also used by government agencies such as the CIA and the Navy.

A thorough government investigation is what followed, yet the Chinese government avoids giving clear explanations. “Supply chain safety in cyberspace is an issue of common concern, and China is also a victim,” replied the Chinese government when asked about hardware manipulations, while Supermicro responded “We remain unaware of any such investigation.”

Considering the large attack surface, the APT actor activity alert contains recommendations to help targeted companies detect malicious activity and mitigate associated risks. Even though there’s no explicit mention about the aforementioned nation-state attack, the alert does refer to the warning the Department of Homeland Security issued in April 2017 when “an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants.”

To prevent such scenarios, Bitdefender offers dedicated solutions that protect against even the most advanced attacks. MSPs can benefit from advanced endpoint protection that utilizes machine learning and advanced heuristics to detect and block even the most sophisticated advanced and fileless attacks. 

Read this Solution Brief to learn more about the threats of script-based attacks and how you can leverage tunable machine learning to secure your network and your customers against them.