APT10 — attributed to China’s Ministry of State Security (MSS) and previously designated by NCSC, CISA, and the US Department of Justice for its Operation Cloud Hopper campaign — has resumed systematic targeting of managed service providers in the UK and wider Europe. Current activity mirrors the original Cloud Hopper methodology: compromise the MSP first, then use its privileged access to reach the real targets across its entire client portfolio.
Cloud Hopper Revisited
The original Cloud Hopper campaign, documented from 2016 and attributed in 2018 by the UK government and Five Eyes partners, was remarkable for its scale and patience. APT10 compromised the IT networks of MSPs servicing clients across aerospace, defence, finance, pharmaceutical, and government sectors. From those MSP footholds, it accessed client environments in at least 12 countries — often without targeting the client directly.
The technique advantage is straightforward: a single MSP compromise provides leveraged access to tens or hundreds of client environments simultaneously, each inheriting the MSP’s privileged credentials and network trust relationships.
Current observed activity updates this approach for cloud-delivered managed services:
Cloud management platform compromise. MSPs managing Microsoft 365, Azure, or AWS environments for clients hold delegated administrator credentials at scale. APT10 is targeting the management plane — the portals and tooling through which MSPs administer client tenants — rather than breaking into each client individually.
Legitimate remote access tool abuse. RMM (remote monitoring and management) platforms used by MSPs — ConnectWise, TeamViewer, N-able — are being abused as access mechanisms following initial credential theft. These tools generate volumes of legitimate-looking activity that blend with normal MSP operations.
Selective intelligence collection. APT10 is not indiscriminately collecting from all MSP clients. Collection appears targeted to organisations with R&D, defence contracts, or government-adjacent relationships — consistent with Chinese state intelligence priorities.
UK Professional Services Exposure
Law firms, accountancies, and management consultancies that use managed IT services are in scope as downstream targets. Firms that have been publicly involved in significant government contracts, M&A transactions involving Chinese-interest industries, or regulatory proceedings affecting Chinese businesses are likely to be prioritised targets.
The 2018 Cloud Hopper attribution included professional services firms among the affected sectors. The current campaign’s targeting logic is consistent with continued interest in that sector.
Recommended Actions
- Audit your MSP’s access model. Understand precisely what delegated permissions your managed service provider holds in your cloud tenants. Verify that access is scoped to what is operationally necessary.
- Require MFA and conditional access for MSP admin accounts. Delegated admin access without phishing-resistant MFA is a critical exposure.
- Include MSP security posture in supplier assurance. If your IT delivery depends on an MSP, that MSP’s security is your security. Review their cyber security assurance and incident response obligations contractually.
- Monitor for anomalous MSP access patterns. Log all administrative actions performed by MSP accounts. Lateral movement or access to sensitive data outside normal support patterns should generate alerts.