Operation Cloud Hopper shows we can't rely on anti-virus alone

This is a contributed piece by Greg Sim CEO at Glasswall Solutions


It is bad enough that the China-based APT10 hackers have so effectively breached the cyber defences of major commercial and governmental organisations around the world. What makes this attack so much worse is that it in most cases it was achieved with a simple decoy email attachment.

The grim details are in a new report from PwC UK and BAE Systems which describes how APT10’s Operation Cloud Hopper has stolen high volumes of intellectual property and sensitive data from some of the world’s major businesses, in a “global operation of unprecedented size and scale”.

The standard “compromise methodology” used by APT10 was a simple spear phishing email with a malicious “executable” attachment. Using previously-acquired data, these emails appeared to be legitimate messages from a public sector entity, such as the Japan International Cooperation Agency, for example, while the attachments addressed a topic the hackers know will be of direct relevance to whoever receives it. The urge to click open the attachment must have been irresistible, activating the malware code the criminals hid in the structure or content of the file attachment.

They cunningly targeted managed services IT providers (MSPs). Once triggered, the malware immediately flew through networks, heading into the systems of the MSPs’ major clients where it set to work stealing highly confidential plans, designs and data. In Japan, the remarkably well-resourced APT10 hackers simply staged direct assaults on businesses and organisations.

What is so galling is that most of these Operation Cloud Hopper breaches could have been prevented with more innovative email security technology. By putting their faith entirely in the failed anti-virus solutions touted by the big cyber security vendors, the breached organisations have left themselves wide open to the main method of attack, which is in email attachments.

Anti-virus solutions are not only incapable of detecting 100% of the viruses out there, they cannot detect the sophisticated threats that hackers such as APT10 now deploy inside the common file-types such as Word, Excel, PDF and PowerPoint that form most email attachments.

It is worth considering that anti-virus technology relies on identifying the signature of each piece of malware. This means that an attack has to be mounted before the signature can be identified. Yet even though, as the report details, the activities of APT10 and its malware variants have been well-documented since 2009, these China-based hackers still got through.  

PwC and BAE have exposed how APT10 malware was first identified when the criminal group was found to be targeting Western defence companies eight years ago. Since then its variants such as Poison Ivy, PlugX, Quasar, EvilGrab and more recently the bespoke ChChes and RedLeaves, have all been documented.

Yet despite having all this threat-information at their fingertips, the anti-virus companies have still been hopelessly inadequate in protecting major clients. While they look for a name to give to an updated version of the malware, it has been easy for APT10 to escalate its attacks with its cleverly-crafted decoy emails.

Its selection of MSPs is also not unexpected. MSPs often have systems that overlap with their clients, offering ready access to entire supply chains and all their data. Once its malware is inside a network, APT10 moves laterally between MSPs and other victims and uses a sophisticated pathway to exfiltrate the data is has stolen, leaving minimal traces.

Now many of the victim-businesses that relied on anti-virus defences will find that their vital intellectual property is sitting on a competitor’s desk in China.  

All along the anti-virus companies have known that they can only defend against, at best, 95% of the malware that is out there. So when remarkably well-staffed hacking groups in China go to work, their malicious exploits are bound to be among that five per cent that always gets through.

Operation Cloud Hopper makes it clearer than ever that organisations are leaving themselves vulnerable to attack by relying on leaky old anti-virus defences that are incapable of detecting the lethal threats hidden inside either the content or structures of common file types.

When the anti-virus companies admit that they can only protect against 95% of known malware, all businesses and organisations must adopt more innovative solutions such as file-regeneration technology. This addresses today’s and tomorrow’s threats, instead of searching for what was a threat yesterday.

File-regeneration solutions act as impenetrable barriers, keeping out 100% of malicious exploits in file attachments such as Word, Excel, PDF or PowerPoint. All of these documents have a design standard against which every attachment can be measured in milliseconds, ensuring only the authentic and known good is permitted inside an organisation according to its established risk policy, and without disrupting normal operations.

If the globe’s major organisations continue to ignore this technology and rely on anti-virus defences, the alternative is yet more disasters such as Operation Cloud Hopper.


« IDG Research: Cloud migration edges towards the halfway mark


GDPR and the death of third-party data »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?