News & Blog

Warning: Hacking Group Based in China Targeting UK Business Data

By Francis West on 5th April 2017

The National Cyber Security Centre and cyber units at PwC and BAE Systems have warned UK businesses about a hacking group, operating inside China, targeting UK-based B2B IT outsourcing companies with a view to reaching their customers.

Identified Through Collaboration

It is believed that it was the collaboration between the NCSC (the cyber branch of GCHQ), PwC and BAE systems that was the key to uncovering the criminal gang, which is now known to have been active, albeit at a lower level, since 2014.

The gang’s campaign, known as “APT10”, was ramped-up in 2016, and the increased activity may also have been a contributing factor in the gang appearing on the NCSC’s radar. Some security commentators have suggested that these attacks represent sustained global cyber espionage on a spectacular scale.


Two of the main giveaways to the likely geographical location of the hacking group were a pattern of work that was in line with China Standard Time (UTC+8), and the fact that the nature of the targets was consistent with what are understood to be current Chinese interests.

Two crucial facts that have not yet been uncovered are the actual identities of the individual gang members and backers, or exactly how the group has chosen its targets.

Which Companies Have Been Targeted?

The combined security and business operation to unmask the hacking group has been codenamed “Cloud Hopper”. So far, it has discovered that organisations and companies in 14 countries including the UK, other European countries, and Japan have been targeted.

Attacks in Japan have been on commercial firms and public bodies. Particular interest has been paid by the hacking group to technology service firms / outsourced It companies, and it is thought that APT10 plans to use them as a proxy for other attacks e.g. on their business customers.

Known victims of the cyber attacks are reported to have been informed, but the full extent of the gang’s hacking activities is not yet known.

How Do They Operate?

The APT10 campaign has used phishing emails loaded with custom-made malware. These have been sent to staff in IT services firms in the first stage of an attack. After gaining access to company systems, the attackers have sought out intellectual property and other sensitive data.

The gang of hackers is reported to have used a large network of websites and domains as hubs for their attacks, and as conduits for the stolen data.

What Does This Mean For Your Business?

Although the report about the full extent of the ATP10 campaign is yet to be released, companies are urged to take a proactive approach to check whether their systems have been targeted. Now may be a good time for businesses to seek professional advice about measures that could be taken to ensure cyber resilience such as cyber security training for staff, health checks, risk assessments / audits, cyber security policies, Business Continuity and Disaster Recovery Plans.

As well as the schemes such as the national filter for spam and malware, businesses in the UK could benefit from a boosted National Crime Agency, money for cyber security start-ups as well as the increased cyber security expertise and knowledge and other potential spin-offs from the government’s much-needed investment in this critical area.

The introduction of the EU’s new GDPR data security rules in the UK in 2018 means that an investment in cyber security help for the UK should be very much welcomed by businesses of all kinds.