6 April, 2017 

The National Cyber Security Centre (NCSC) is aware of a global cyber intrusion campaign targeting multi-national IT service providers.

Given the global nature of the campaign our response has been informed through consultation with our security partners.

There is no suggestion that this campaign is targeting the general public or small to medium enterprises.

The NCSC has provided advice on threat protection and response to key government and private sector organisations.

Our recommendations to organisations include:

  1. Carry out an investigation to check networks for any of the indicators included in the PwC UK and BAE systems reports.
  2. Audit administrative access into your organisation’s networks (especially via third parties) and carry out the recommendations in the NCSC Advisory NCSC CSA-006-17 [PDF, 196 KB]

We note that IP addresses in isolation are not considered to be strong indicators of a compromise. Activity related to IP addresses should be examined in the context of overall network traffic within each organisation to determine whether or not it may be malicious.

If you identify any activity that appears to be malicious, or would like to discuss this particular threat further, please call the NCSC incident line on  04 498 7654.

Some open source reporting:

https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html

http://www.baesystems.com/en/cybersecurity/blog/apt10-operation-cloud-hopper