PwC collaborates with public and private sector partners to uncover new sustained global cyber espionage campaign

PwC’s cyber security practice has worked closely with BAE Systems and other members of the security community – including the UK’s newly-established National Cyber Security Centre – to uncover and disrupt what’s thought to be one of the largest-ever sustained global cyber espionage campaigns.

Since late 2016, when the scale of the espionage campaign became increasingly apparent, PwC and BAE Systems – through their membership of the Cyber Incident Response (CIR) scheme – have shared their research results pertaining to the campaign with the National Cyber Security Centre, which has notified affected communities.

PwC and BAE Systems believe the hacking group widely known as APT10 conducted the espionage campaign by targeting providers of managed outsourced IT services as a ‘way in’ to their customers’ organisations around the world, gaining unprecedented access to Intellectual Property and sensitive data. This indirect approach of reaching many through only a few targets demonstrates a “new level of maturity” in cyber espionage.

The sheer scale of the operation was only uncovered through collaboration, and is still only likely to reflect a small portion of APT10’s global operations.

Richard Horne, cyber security partner at PwC, commented: “The future of cyber defence lies beyond simple intelligence sharing. It’s about forging true collaboration between organisations in the public and private sectors with the deep technical and innovative skills required to combat this type of threat. This operation has demonstrated the importance of the recently established National Cyber Security Centre, which was set up for moments just like this one. Operating alone, none of us would have joined the dots to uncover this new campaign of indirect attacks. Together, we’ve been working to brief the global security community, Managed Service Providers and known end victims to help prevent, detect and respond to these attacks. New forms of attack require new ways of working to defend our society. Close working collaboration is key.”

APT10 campaign: key findings

*APT10 targeting Managed Service Provider’s networks from 2016 onwards (it’s likely that this activity had begun as early as 2014)

*APT10 has significantly increased its scale and capability since early 2016, adding new developers and intrusion operators to continually enhance that capability

*APT10 focuses on espionage activity, targeting Intellectual Property and other sensitive data from a wide range of sectors and countries. The group is known to have exfiltrated a high volume of data from multiple victims and used compromised networks to stealthily move this data around the world

*a number of Japanese organisations have also been targeted directly in a separate, simultaneous campaign orchestrated by the same group, with APT10 masquerading as legitimate Japanese Government entities in order to gain access

Kris McConkey (cyber threat detection and response partner at PwC, who presented on the findings of this joint research at the Kaspersky Labs Security Analyst Summit in St Maarten on 3 April) added: “The indirect approach of this attack highlights the need for organisations to have a comprehensive view of the threats to which they’re exposed, including those of their supply chain. Alongside our research work, we’ve also notified the threat intelligence community and worked with the National Cyber Security Centre to notify Managed Service Providers and known victims.”

McConkey added: “This is a global campaign with the potential to affect a wide range of countries. On that basis, organisations around the world should work with their security teams and solution providers to check networks for the key warning signs of compromise and then ensure that they respond and protect themselves accordingly.”

*For copies of PwC and BAE Systems’ report on the APT10 operation visit

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts