APT10 and the MSP Pivot: When Outsourced IT Becomes an Attack Vector

Threat Intelligence

APT10 systematically targeted managed service providers as a force multiplier, using ANEL and PlugX malware to pivot from MSP infrastructure to dozens of downstream clients across 45 countries.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 26, 2024 · 10 min read

APT10, tracked as Stone Panda, Menupass, and most recently as Potassium by Microsoft, is a Chinese threat actor assessed with high confidence to operate under MSS direction. The group's defining campaign, Operation Cloud Hopper, was the most expansive known abuse of managed service providers as an attack vector, compromising MSPs in the United States, United Kingdom, Germany, Japan, India, and Australia to pivot to their downstream clients across government, aerospace, defense, financial services, and healthcare sectors.

The MSP as a Force Multiplier

The strategic logic of targeting MSPs is straightforward: a single MSP with 50 enterprise clients provides access to 50 separate networks with a single initial compromise. MSP staff have privileged administrative access to client environments, often including domain administrator rights, backup system access, and security tool management. By establishing persistence in the MSP's own infrastructure, APT10 could pivot to any client environment using legitimate administrative credentials and tools.

Operation Cloud Hopper ultimately affected confirmed victims in at least 45 countries. The DOJ 2018 indictment of two APT10 members described intrusions spanning a decade of continuous operation against MSP infrastructure as a deliberate strategic model, not opportunistic targeting.

ANEL and PlugX: The APT10 Toolkit

• PlugX (also called Korplug): a modular RAT with plugin architecture supporting keylogging, file theft, shell access, and port forwarding; shared across multiple Chinese APT groups but extensively used by APT10
• ANEL (also called UPPERCUT): a backdoor used primarily against Japanese targets, delivered via spearphishing and communicating over HTTPS with a custom encryption layer
• RedLeaves: a PlugX fork with additional anti-analysis features including string encryption and API hashing to defeat static detection
• ChChes: a lightweight first-stage implant used for initial beaconing before deploying heavier tools
• Quasar RAT: an open-source tool used in some APT10 campaigns to reduce operational cost and blend with commodity threat actor activity

The Cloud Hopper Attack Flow

1. Spearphishing of MSP employees with ANEL or PlugX delivered via weaponized Office documents or LNK files
2. Persistence established in MSP infrastructure using scheduled tasks and registry run keys
3. Lateral movement across MSP internal network to identify client management systems and remote access tools
4. Credential harvesting targeting MSP admin accounts used for client RMM (Remote Monitoring and Management) tool access
5. Pivot to client environments using legitimate MSP admin credentials via RDP, VPN, or RMM tools, appearing as normal MSP administrative activity
6. Long-term data collection from client environments, including IP and research files, staged to temporary directories before exfiltration through MSP infrastructure

Japanese Defense and Aerospace Targeting

Japan has been one of APT10's most consistent targets. The Tokyo Metropolitan Police Department's 2021 advisory confirmed APT10 had compromised approximately 200 Japanese companies and government agencies over a multi-year campaign. Targets included JAXA (the Japanese space agency), defense contractors, pharmaceutical companies, and think tanks. The campaign demonstrates that MSP pivoting is one component of a broader targeting strategy, not a replacement for direct spearphishing.

MITRE ATT&CK Mapping

• T1199: Trusted Relationship exploitation using MSP administrative access to pivot to client environments
• T1078.002: Domain Accounts targeting MSP domain administrator credentials for lateral movement
• T1021.001: Remote Desktop Protocol used to access client environments using harvested MSP credentials
• T1560.001: Archive Collected Data using RAR and 7-Zip to stage exfiltration packages
• T1074.002: Remote Data Staging using attacker-controlled cloud storage for intermediate data collection

MSP Security Requirements

Operation Cloud Hopper established the MSP pivot as a documented, repeatable APT strategy. Any organization that outsources IT operations to a managed service provider inherits that MSP's security posture as part of its own attack surface. Supply chain security due diligence for technology service providers is not optional for organizations operating in APT10's target sectors.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.