APTs Targeting IT Service Provider Customers

The Cybersecurity and Infrastructure Security Agency (CISA) has received multiple reports of advanced persistent threat (APT) actors actively exploiting trust relationships in information technology (IT) service provider networks around the world. The number of organizations using IT service providers—such as managed service providers (MSPs) and cloud service providers (CSPs)—has increased in recent years because IT service providers enable customers to scale and support network environments at a lower cost than financing these resources internally. IT service providers generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, IT service providers can achieve significant economies of scale. However, a compromise in one part of an IT service provider’s network can have globally cascading effects, impacting other customers and introducing significant risk.

CISA encourages customers of MSPs and CSPs to implement a defense-in-depth strategy to protect their infrastructure assets and increase the probability of successfully disrupting APT activity. CISA recommends MSP and CSP customers review the resources below to help formulate and build their defense-in-depth strategy.

IT Service Provider Customers

  • Organizations that rely on IT service providers should ensure their providers have conducted a review to determine if there is a security concern or compromise, and have implemented appropriate mitigation and detection tools for this cyber activity.
  • IT service provider customers should also:
    • Review and verify all connections between customer systems, service provider systems, and other client enclaves;
    • Verify service provider accounts in their environment are being used for appropriate purposes and are disabled when not actively being used;
    • Ensure contractual relationships with all service providers implement:
      • Security controls as deemed appropriate by the client,
      • Appropriate monitoring and logging of client systems provided by the service provider,
      • Appropriate monitoring of service provider’s presence, activities, and connections to the customer network, and
      • Notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks.
    • Integrate system log files—and network monitoring data from IT service provider infrastructure and systems—into customer intrusion detection and security monitoring systems for independent correlation, aggregation, and detection.
    • See the Managed Service Provider Customers and Cloud Service Provider Customers sections below for additional information, tools, and resources.

Managed Service Provider Customers

CISA is aware of ongoing APT actor activity attempting to infiltrate the networks of global MSPs. Since at least May 2016, APT actors have used various tactics, techniques, and procedures for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several critical infrastructure sectors, including IT, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. See the products and resources below for information to help build a defense-in-depth strategy.

Cloud Service Provider Customers

The resources below provide a foundational reference point to aid CSP customers with the risks and challenges associated with using commercial cloud environments.

IT Service Providers

  • Providers should fully implement the mitigation actions on this page to protect against this malicious activity. Additionally, providers should implement the following specific actions.
    • Apply the principle of least privilege to their environment, which means customer data sets are separated logically, and access to client networks is not shared.
    • Implement robust network and host-based monitoring solutions that looks for known malicious activity and anomalous behavior on the infrastructure and systems providing client services.
    • Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse.
    • Work with their customers to ensure hosted infrastructure is monitored and maintained, either by the service provider or the client.
  • Providers may consult the Operation Cloud Hopper private industry report. Note: CISA does not endorse any commercial products or services identified in this report. Any hyperlinked websites do not constitute endorsement by CISA of the website or the information, products, or services contained therein.

Identity Management

CISA is aware of ongoing APT actor activities against organizations operating trusted network relationships. Potential targets include parent companies, connected partners, and contracted MSPs and CSPs. APT actors can leverage legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations under the guise of authorized activity. Leveraging legitimate credentials also allows APT actors to access other devices and trusted networks, enabling them to maintain persistence and obfuscate detection tools. See the resources below for further information.

Federal Government High Value Assets

Federal departments and agencies are responsible for the IT assets and personal information entrusted to them by hundreds of millions of Americans. Federal government High Value Assets (HVAs) enable essential functions and operations, provide services to citizens, generate and disseminate information, and facilitate greater productivity and economic prosperity. The resources in the links below provide additional contextual detail and hardening recommendations for HVAs.

IT Service Provider Customer Contracts

MSP and CSP customers should be aware that the decision to centralize information with an IT service provider can present risks to the confidentiality and integrity of their proprietary information. MSP and CSP customers should consider contract language that supports the customer’s needs and requirements for both virtual and physical security, including supply chain risk management. See the resources below for more information.

Additional Resources