Cyber Incident Victim: Managed Service Providers

On October 3, 2018, the U.S. Department of Homeland Security (DHS) issued an alert through the United States Computer Emergency Readiness Team (US-CERT) regarding ongoing advanced persistent threat (APT) attacks targeting managed service providers (MSPs), which deliver cloud-based services to businesses. The DHS attributed these attacks to APT10, a cyber-espionage group linked to Chinese state interests and known by aliases including Red Apollo, Stone Panda, POTASSIUM, and MenuPass. These intrusions aligned with tactics described in a prior DHS advisory, TA17-117A, which had documented related malicious activity. The attackers exploited MSPs’ privileged network access to infiltrate client organizations, reflecting a broader trend of adversaries targeting supply chain vulnerabilities as businesses migrated operations to cloud environments. US-CERT’s alert emphasized the strategic significance of MSP compromises, noting that cloud services had become integral to corporate supply chains globally.

The incident followed warnings from multiple cybersecurity entities. A joint report by PwC and BAE Systems detailed APT10’s campaigns against cloud service providers dating back to at least April 2017, corroborating the DHS’s findings. Additionally, ProtectWise’s 401TRG team highlighted in May 2018 that Chinese threat actors were actively preparing supply chain attacks, underscoring the persistent nature of the threat. In response to the October 2018 attacks, US-CERT released technical recommendations for securing MSP infrastructures and detecting intrusions, accompanied by a supplementary guide on credential and privileged-access management to mitigate unauthorized access. The DHS did not explicitly name the responsible nation-state but provided sufficient indicators for the cybersecurity community to assess the attacks’ origins independently.