21 December 2018

Important Information - MSP Global Hack

Today, the Australian Government joins other international partners in expressing serious concern about a global campaign of cyber-enabled commercial intellectual property theft by a group known as APT10, acting on behalf of the Chinese Ministry of State Security.  The sustained cyber intrusions by APT10 were significant and focussed on large scale Managed Service Providers (MSPs) – specialist companies that manage IT services and infrastructure for many medium to large businesses and organisations, both in Australia and globally.
Australia calls on all countries to uphold commitments to refrain from cyber-enabled theft of intellectual property, trade secrets and confidential business information with the intent of obtaining a competitive advantage. These commitments were agreed by G20 Leaders in 2015. Australia and China reaffirmed them bilaterally in 2017.

The worldwide cyber security compromise serves as a reminder that all organisations must remain vigilant about security and that organisations such as MSPs must be responsible and accountable to those they serve.

For further details on the MSP Global Hack go to: https://cyber.gov.au/msp-global-hack/

I use a MSP, what should I do?
The Australian Cyber Security Centre (ACSC) has issued advice on concrete steps that you can take to limit your exposure and protect your information. For more information go to:  https://cyber.gov.au/msp-global-hack/customers/

Guidelines for MSP can be found here: https://cyber.gov.au/business/publications/msp-risk-for-msp/PROTECT_MSPs_How_to_manage_risk_to_your_customer.pdf

General Advice
Australia needs a dramatic shift in the security posture of businesses and organisations in response to this significant cyber-enabled threat which is very hard to detect.
Managed Service Providers (MSPs) are a useful target for espionage and cybercrime by their very nature because they provide back-end ICT services to business customers, requiring remote access from various locations around the world and escalated privileges for running IT for their customers. This highlights the importance for Australian businesses to conduct security assessments across their supply chain (3rd party supplier governance).

Businesses and organisations should conduct a baseline security assessment, based on ASD’s Essential Eight, which is a prioritised list of mitigation strategies to assist organisations in protecting their systems against a range of cyber threats. Once a strategy has been implemented, businesses and organisations should focus on increasing the maturity of their implementation so that they eventually reach full alignment with the intent of each mitigation strategy.