Originally posted on Wired by Brian Barrett

IMAGINE YOU’RE A burglar. You’ve decided to tackle a high-end luxury apartment, the kind of building with multiple Picassos in the penthouse. You could spend weeks or months casing the place, studying every resident’s schedule, analyzing the locks on all the doors. You could dig through trash for hints about which units have alarms, run through every permutation of what the codes might be. Or you could also just steal the super’s keys.

According to a Justice Department indictment Thursday, that is effectively what China has done to the rest of the world since 2014. That’s when the country’s elite APT10—short for “advanced persistent threat”—hacking group decided to target not just individual companies in its long-standing efforts to steal intellectual property, but instead focus on so-called managed service providers. They’re the businesses that provide IT infrastructure like data storage or password management. Compromise MSPs, and you have a much easier path into all these clients. They’re the super.

“MSPs are incredibly valuable targets. They are people that you pay to have privileged access to your network,” says Benjamin Read, senior manager for cyberespionage analysis at FireEye. “It’s a potential foothold into hundreds of organizations.”

For an even greater sense of scale: The indictment alleges, among other things, that by hacking into a single New York-based MSP, APT10 was able to compromise data from companies in a dozen countries, from Brazil to the United Arab Emirates. With a single initial intrusion, Chinese spies could leapfrog to industries as varied as banking and finance, biotech, consumer electronics, health care, manufacturing, oil and gas, telecommunications, and more…

Read at Wired

Download PDF here