- Collaboration between the NCSC, PwC and BAE has led to the discovery of a sustained and global cyber campaign
- A known cyber actor using previously documented intrusion tools has targeted major international Managed Service Providers (MSPs) since at least May 2016
- We assess the ultimate targets are customers of these MSPs
- The activity we are aware of likely represents only a small proportion of the total malicious activity; we are still working to establish the scale of the activity
- Compromises could affect government or industry supply chains; we will update our assessment when more information becomes available
- We have no evidence to suggest these actors are targeting the general public or SMEs
What is the threat?
Working closely with industry partners in the Cyber Incident Response Scheme (CIR) we have become aware of ongoing targeted attacks against global Managed Service Providers by a hostile actor. The information provided in this document should be sufficient to understand the issue and to support you in any necessary mitigation activity. We will continue to update our technical indicators and guidance as our investigation, with industry and our international partners, continues.
Where can I get details?
We have published on our Cyber-security Information Sharing Partnership (CISP) a consolidated technical assessment along with indicators of compromise that can be used to help aid detection. This note provides more general guidance for managing the risks from a Managed Service Provider. Public authorities and CNI sectors with existing NCSC contacts should approach them if they have any further questions.
What does my Managed Service Provider know?
We have notified all members of the Managed Service Provider Information Exchange (MSPIE) and all Managed Service Providers on CISP have access to our technical information. If your MSP is not a member of the MSPIE or CISP, you should encourage them to join to gain access to this information.
How do I know if I’m affected?
To understand if you are affected there are some activities you need to carry out, and some topics that need discussing in an open dialogue with your MSPs.
You may deploy the indicators we have published on CISP on your network monitoring solution. However, since these attacks are specifically targeted against MSPs, you should make sure that your MSP has deployed the indicators on their monitoring solution. Pay particular attention to any network connectivity with your MSPs, such as VPN termination. Any detection from those indicators should be thoroughly investigated and any malicious activity reported to email@example.com. You should review your independent audit logs to determine if any suspicious activity has taken place on your systems in the context of your MSP’s access.
You should contact your MSP and discuss their response to these attacks, including whether and how you have been affected. You should ensure that your MSPs are doing everything necessary to investigate whether they have been compromised and what effect any such compromise has had on their customers. Do not accept assertions from your provider, but instead demand evidence.
Should I change MSP?
This should depend on their response to your enquiries. It is unlikely that any MSP today is in a significantly better position than any others. The way they respond to the incident, how they help you investigate any potential impact on your systems and data and their willingness to work with you on remediation and future uplifts in the security of their service to you should be part of your determination of your long-term relationship with your provider. MSPs who are unwilling to work closely with customers or unwilling to share information with you should be treated with extreme caution.
What else should I be doing?
This campaign provides a useful reminder that an organisation’s entire supply chain needs to be managed and that organisations cannot outsource their risk. Managed Service Providers are particularly attractive to attackers because they often have highly privileged access to systems and data. As part of your procurement, you should have ensured that your service providers all manage their security to a level broadly equivalent to that you would expect from your internal functions. This incident provides a useful impetus to revisit those discussions.
If your MSP uses cloud services as part of their delivery, or is effectively a cloud service provider to you, you should ensure that you understand how that affects the security of your data and systems, and the cloud security principles should help.
If your MSP has administrative rights over infrastructure or services that process personal data, you must assess the security against the bulk personal data protection principles. The same principles apply if your MSP operates on your behalf a service which processes personal data.
You should understand what model your MSP uses to manage your infrastructure and services. The NCSC system administration guidance provides a structure to help you understand the various risks. If your MSP uses one of the more risky models, you should demand that they fix this immediately and in this case it would be prudent to undertake a detailed investigation to look for compromise (and not just for this specific series of attacks). As well as the technical architecture used, you should understand their personnel security policies, operational restrictions placed on the people who perform day-to-day activities in your MSP, how they store and manage access to your key credentials and how they monitor and manage audit for their customer system accesses. You should also understand how your MSP ensures separation between their customers, ensuring that compromise of one does not allow compromise of all. As part of that assessment, you should consider how the MSP’s own corporate network may bring risk to your systems and data and how they manage that on your behalf. Your MSP’s corporate network should be separated from the infrastructure used to provide service to you.
You should ensure that you have monitoring and audit that is independent of your MSP. This is critical for security monitoring and management, but also for contractual enforcement and investigations of both cyber (e.g. this campaign) and non-cyber (e.g. insider-led data theft) incidents. An organisation that has engaged an MSP (or outsourced a service function in another way) without maintaining some independent monitoring is unlikely to be able to manage their risk effectively.
Finally, as a general framework to help conversations with providers, the 10 steps to cybersecurity may be useful.
1] For the purposes of this note, a Managed Service Provider should be taken to mean any organisation which provides a service to a number of third parties. That service could include management of a corporate network, or the outsourcing of business processes.