Email continues to be the favorite attack vector, even for "Nation State Attacks" - The APT10 (Chinese hacker) group did used the same method with a twist and were successful. They targeted the MSPs (not, their direct targets) to hack industries as varied as banking and finance, biotech, consumer electronics, health care, manufacturing, oil and gas, telecommunications, and ultimately made off with hundreds of gigabytes of data from dozens of companies.

As usual, it just starts with a carefully crafted email. “C17 Antenna problems,” read the subject line of one APT10 message that hit the inbox of a helicopter manufacturer, part of the 2006 campaign. The body copy was a simple request to open the attached file, a Microsoft Word doc called “12-204 Side Load Testing.”.  Once someone opens the attachment, it is game over.


The malware posed as legitimate on a victim’s computer to avoid antivirus detection, and communicated with any of the 1,300 unique domains APT10 registered for the campaign.

APT hackers put themselves in a position where they not only had access to MSP systems, but could move through them as an administrator might. Using those privileges, they would initiate what’s known as Remote Desktop Protocol connections with other MSP computers and client networks

The hackers would encrypt the data and use stolen credentials to move it to a different MSP or client system before jettisoning it back to an APT10 IP address. They’d also delete the stolen files from the compromised computers, all in an effort to avoid detection. Anytime a private security company would identify APT10 domains, the group would quickly abandon them and move on to others

https://www.wired.com/story/doj-indictment-chinese-hackers-apt10/