APTs Targeting IT Service Provider Customers

The Cybersecurity and Infrastructure Security Agency (CISA) has received multiple reports of advanced persistent threat (APT) actors actively exploiting trust relationships in information technology (IT) service provider networks around the world. The number of organizations using IT service providers—such as managed service providers (MSPs) and cloud service providers (CSPs)—has increased in recent years because IT service providers enable customers to scale and support network environments at a lower cost than financing these resources internally. IT service providers generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, IT service providers can achieve significant economies of scale. However, a compromise in one part of an IT service provider’s network can have globally cascading effects, impacting other customers and introducing significant risk.

CISA encourages customers of MSPs and CSPs to implement a defense-in-depth strategy to protect their infrastructure assets and increase the probability of successfully disrupting APT activity. CISA recommends MSP and CSP customers review the resources below to help formulate and build their defense-in-depth strategy.

Managed Service Provider Customers

CISA is aware of ongoing APT actor activity attempting to infiltrate the networks of global MSPs. Since at least May 2016, APT actors have used various tactics, techniques, and procedures for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several critical infrastructure sectors, including IT, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. See the products and resources below for information to help build a defense-in-depth strategy.

Cloud Service Provider Customers

The resources below provide a foundational reference point to aid CSP customers with the risks and challenges associated with using commercial cloud environments.

Identity Management

CISA is aware of ongoing APT actor activities against organizations operating trusted network relationships. Potential targets include parent companies, connected partners, and contracted MSPs and CSPs. APT actors can leverage legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations under the guise of authorized activity. Leveraging legitimate credentials also allows APT actors to access other devices and trusted networks, enabling them to maintain persistence and obfuscate detection tools. See the resources below for further information.

Federal Government High Value Assets

Federal departments and agencies are responsible for the IT assets and personal information entrusted to them by hundreds of millions of Americans. Federal government High Value Assets (HVAs) enable essential functions and operations, provide services to citizens, generate and disseminate information, and facilitate greater productivity and economic prosperity. The resources in the links below provide additional contextual detail and hardening recommendations for HVAs.

IT Service Provider Customer Contracts

MSP and CSP customers should be aware that the decision to centralize information with an IT service provider can present risks to the confidentiality and integrity of their proprietary information. MSP and CSP customers should consider contract language that supports the customer’s needs and requirements for both virtual and physical security, including supply chain risk management. See the resources below for more information.

Additional Resources