Share this article on:
The Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) has issued an alert about increased Chinese malicious cyber activity targeting IT service providers such as Managed Service Provider (MSPs), Managed Security Service Providers (MSSPs), Cloud Service Providers (CSPs) and their customers.
The attacks take advantage of trust relationships between IT service providers and their customers. A successful cyberattack on a CSP, MSP or MSSP can give the attackers access to healthcare networks and sensitive patient data.
The DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued technical details on the tactics and techniques used by Chinese threat actors to gain access to services providers’ networks and the systems of their customers.
The information has been shared to allow network defenders to take action to block the threats and reduce exposure to the Chinese threat actors’ activities. Guidance has been released for IT service providers and their customers on the steps that should be taken to improve security to prevent successful attacks. While a range of mitigations have been specified, there is no single solution that will work for all organizations and mitigating these malicious activities can be a complex process.
Advice for Customers of IT Service Providers
Healthcare organizations that utilize IT service providers are advised to:
- Ensure their providers have conducted a review to determine if there is a security concern or has been a compromise
- Ensure their IT service providers have implemented solutions and tools to detect cyberattacks.
- Review and verify connections between healthcare systems and those used by IT service providers.
- Verify all IT service provider accounts are being used for appropriate purposes.
- Disable IT service provider accounts when they are not in use.
- Ensure business associate agreements require IT service providers to implement appropriate security controls, require logging and monitoring of client systems and connections to their networks, and the need to promptly issue notifications when suspicious activity is detected.
- Integrate system log files and network monitoring data into intrusion detection and security monitoring systems for independent correlation, aggregation and detection.
- Ensure service providers view US-CERT pages related to APT groups targeting IT service providers, specifically TA-18-276A and TA-18-276B.
Advice for IT Service Providers
IT service providers have been advised to take the following actions to mitigate the risk of cyberattacks:
- Ensure the mitigations detailed in US-CERT alerts are fully implemented.
- Ensure the principle of least privilege is applied to their environments, customers’ data are logically separated, and access to clients’ networks is not shared.
- Implement advanced network and host-based monitoring systems that look for anomalous behavior that could indicate malicious activity.
- Aggregate and correlate log information to maximize the probability of detection of malicious activity and account misuse.
- Work closely with customers to ensure that all hosted infrastructure is carefully monitored and maintained.