Operation Cloud Hopper – How companies using managed IT service providers should respond to the threat identified from APT10
At the beginning of this month, following the release of a report entitled, "Operation Cloud Hopper" produced by PwC and BAE Systems (the Report), the National Cyber Security Centre (NCSC) announced that it had become aware of "ongoing targeted attacks against global Managed Service Providers by a hostile actor". In the Report, PwC and BAE identify a China-based actor, most likely an entity known as "APT10", as the culprit behind the attacks. The Report refers to a widespread campaign targeting managed IT service providers (MSPs) with the aim of infiltrating their customers' networks in order to steal intellectual property and other sensitive data.
The methods used by APT10 are extremely sophisticated and designed to prevent detection. According to the Report, APT10 has been seen to exfiltrate customer data via the MSP's network in order to avoid the customer's network defences. It is not seeking notoriety or to make a political statement so its victims are unlikely to discover they have been hacked via leaks of their sensitive information online.
For companies that use MSPs as part of their business, the Report is a public flag as regards their vulnerability and it would be prudent to act immediately to assess the potential threat. In this article we explore the action that such companies should take in light of the Report.
Contact your service provider
On its website the NCSC recommends various actions for customers to pursue with their MSPs if they have concerns:
"You should contact your MSP and discuss their response to these attacks, including whether and how you have been affected. You should ensure that your MSPs are doing everything necessary to investigate whether they have been compromised and what effect any such compromise has had on their customers."
Ideally your MSP will issue a statement to all of its customers setting out its response to the Report and will be happy to respond to customer queries. However, if you are one of a significant number of customers, your MSP may be reluctant to conduct an investigation specific to your account. In addition, if your MSP is in the process of conducting its own internal investigation, it may be extremely guarded and not want to share information that might affect its liability.
If your MSP is not willing to co-operate, you will need to consider the different contractual tools you might be able to invoke in order to implement the NCSC's advice.
Consider the relevant contractual provisions
Some agreements contain specific security obligations and/or policies with which an MSP is obliged to comply. Consider whether there is a specific obligation you can point to which requires the MSP to investigate in these circumstances. This might be covered by reporting requirements within your agreement.
Contracts with MSPs increasingly contain breach notification provisions however these often only bite where an MSP has identified a security breach. This would not oblige an MSP to look for one based on the contents of the Report. However, if this provision was drafted more broadly, it might bite where the MSP has reason to suspect there might have been a breach. Arguably the contents of the Report are sufficient to give an MSP reason to suspect that there might have been a breach.
Failing this, you could also consider whether your agreement contains an obligation on the MSP to provide its services in accordance with good industry practice. It might be argued that this places an obligation on the MSP to investigate a specific threat highlighted by a body such as the NCSC.
If the relevant agreement covers personal data and has already been "future-proofed" to ensure compliance with the General Data Protection Regulation (GDPR), you may be able to use some of the more extensive obligations placed on an MSP as a data processor to achieve the same end.What to consider when a breach is identified.
If you or your MSP identify a breach of your or its systems, you will need to consider your obligations to your own customers and potentially also regulators. For example, do you need to notify your own customers or any regulators of the breach?
The first priority is to determine the nature of the breach. As APT10 is known to operate in a very secretive manner and is not known for bragging about its achievements, this is likely to be quite difficult. Employing your own forensic investigator to ascertain the extent of the damage may be a necessary first step.
This type of incident could lead to some interesting questions around liability as it may be hard to quantify the loss a party has suffered as a result of such breach. A fine from a regulator, such as the Information Commissioner's Office, would be fairly easy to quantify however it could be harder to quantify the loss suffered due to the theft of intellectual property. This might be done by reference to the licence fees that the owner of such intellectual property would usually charge for its use.
Is termination an option?
If you are not satisfied by the response of your MSP then, in its advice, the NCSC suggests you might want to consider changing MSP. In order to do this, you would need to have a right to terminate under the agreement.
In order to terminate for breach, you would need to identify a clear material breach of a provision of the agreement and consider the associated termination rights, for example, do they give the MSP the right to rectify such breach? The agreement may contain a right to terminate for convenience in which case any associated termination charges and notification periods should be taken into account.
In either case, a customer should consider the nature of the services being provided and the scope of obligations on the MSP in respect of exit. For example: Is there an exit plan? Will exit involve the transfer of data? Does the customer have to pay for exit assistance and, if so, at what rates?
Future-proofing
The contents of this Report may bring about a change in the standard form for contracts with MSPs. It seems inevitable that it will mean a greater focus on security provisions. It might also lead to the incorporation of specific requirements on an MSP to co-operate and provide information in these circumstances. However, it is worth bearing in mind that, in respect of commoditised services, you get what you get and the terms are often difficult to negotiate. In that case you need to ensure you have done your due diligence on the MSP in question before signing up and that, in light of this, you are prepared to accept the potential risks.
Where to go from here
Only once you have spoken to your MSP will you be able to determine which of these steps are necessary. It is in an MSP's long-term interests to co-operate with its customers in this scenario. Even so, given the prevalence of cyber-attacks and the sophistication of entities like APT10, it is worth bearing some of these contractual tools in mind when engaging and negotiating with MSPs in future.
