Running everything from cloud storage to security — and even less important needs such as internet-connected heating-and-cooling systems — companies known as “managed service providers” (MSPs) “remotely manage the information technology infrastructure of businesses and governments around the world,” the Department of Justice said in a press release Thursday about the indictment.
It was one of those service providers that became the entry point for the Chinese hackers, who sent custom spearphishing emails that employees at an unnamed company thought included a file relevant to their work. The file, related to helicopter manufacturing, was attached to an email with the subject line “C17 Antenna problems." The attachment — a malware-infected Word doc — was entitled “12-204 Side Load Testing.doc.”
From there, the hackers were able to get into dozens of networks and “steal, among other data, intellectual property and confidential business data on a global scale,” according to the indictments.
Byers Market Newsletter
Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.
Gaining access to one company to then breach another is a technique known as “island hopping,” said Tom Kellermann, chief cybersecurity officer at Carbon Black, a Massachusetts-based cybersecurity firm.
“It’s all about ‘who do you know,’ and going after two degrees of separation,” Kellermann told NBC News.
Kellermann said Chinese hackers have grown adept at figuring out how companies are connected, giving them a wide variety of targets to gain entry to otherwise secure systems.
The Chinese hackers “tried to discern what companies are connected with other companies and rely on their services … going after major managed service providers for Fortune 500 companies, hacking into their networks through cloud environments, and leapfrogging and island hopping to their clients, colonizing vast swaths of American cyberspace.”
Kellerman said Carbon Black's analysis found there were up to a dozen of these managed service providers that were significant victims, which then controlled the assets or data of “hundreds” of companies. That analysis also found that half of all Chinese cyberattacks tracked over the summer used island hopping.
The compromised clients of the managed service providers were in at least 12 countries and were involved in an array of industries including banking and finance, telecommunications and consumer electronics, medical equipment, packaging, manufacturing, consulting, health care, biotechnology, automotive, oil and gas exploration, and mining, the DOJ said.
Concern has been steadily mounting in the cybersecurity world to the threat posed by the vulnerabilities at managed service providers as well as companies that work with the U.S. government and collect data about its employees. The recent Marriott data breach potentially includes data on the travel of U.S. employees, which could in turn be used to target espionage efforts.
“The business is only as secure as their weakest service provider in this case,” said Thomas Moore, security architect at Signal Hill Technologies, a cybersecurity contractor in Northern Virginia. “And an attacker has a pick of the litter to which business they want access to, often without much scrutiny.”
Ben Popken is a senior business reporter for NBC News.