Unmasking a global cyber espionage campaign

Setting the scene

For the last eight years, and possibly even longer, a global espionage campaign has been underway. Believed to be the work of a threat actor based in China and known to the security community as APT10, the campaign has seen a wide-ranging information collection spree conducted initially against the US defence industrial base and the technology and telecommunications sector, but now spreading to multiple industries and sectors worldwide.

Most recently, managed IT service providers (MSPs) have been under attack. And the campaign against them – known as Operation Cloud Hopper – has given APT10 unprecedented access to the intellectual property and sensitive data of MSPs and their clients across the globe.

“The indirect approach of this attack highlights the need for organisations to have a comprehensive view of their threat landscape, which includes their supply chain, and focus on improving their ability to hunt for this type of activity.”

Kris McConkeyCyber security partner, PwC UK

How we helped

Since late 2016, PwC UK has been helping the victims of these attacks. PwC's threat intelligence team has been collaborating with other leading security research organisations and the UK's National Cyber Security Centre to track and research APT10’s actions, and PwC UK’s incident response team has been leading investigations into security compromises linked to APT10, and actively removing the attacker's access to victim organisations' systems and data.

The collaborative research uncovered important new information. It found that APT10 almost certainly benefits from significant staffing and logistical resources, which have been stepped up since 2016. It also found that APT10’s operations over the past two years have likely comprised multiple teams, each responsible for a different process – domain registration, infrastructure management, malware development, target operations and analysis.

The research also gave further weight to the belief that APT10 is a China-based threat actor, based on patterns within domain registrations and file compilation times. It showed how APT10 has been systematically targeting Japanese organisations using the bespoke malware called ‘ChChes’.

“New forms of attack require new ways of working to defend our society. Close working and collaboration is key.”

Richard HorneCyber security partner, PwC UK


This collaboration enabled PwC UK to provide an essential heads up to the global security community, as well as MSPs and known victims, to help prevent, detect and respond to ATP10’s attacks. The firm also shared its detailed technical analysis, including the critical ‘indicators of compromise’, with the UK’s National Cyber Security Centre.

As Richard Horne, Cyber Security Partner at PwC UK, put it: “The future of cyber defence lies beyond simple intelligence sharing, but in forging true collaboration between organisations in the public and private sector with the deep technical and innovative skills required to combat this type of threat”.

Follow us