The Thousand Hands: APT10

← Home·Gallery·Techniques

Threat Intelligence Tarot

swords · 1

China (MSS - Tianjin Bureau)

G0045

★★★★★

risk 4/5

✦ The Thousand Hands ✦

APT10

Stone Panda · MenuPass · POTASSIUM · Cicada

MSPsHealthcareDefenseFinanceManufacturing26+ countries

Active since ~2009 · Intellectual property theft, Managed service provider compromise, Supply chain espionage

It does not attack companies. It attacks the companies that manage companies. One managed service provider, patiently owned, becomes a skeleton key to a hundred client networks. The Thousand Hands reaches everywhere without touching anything directly.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1190

Exploit Public-Facing Application

Initial Access

T1078

Valid Accounts

Persistence

T1059.003

Windows Command Shell

Execution

T1021.001

Remote Desktop Protocol

Lateral Movement

T1041

Exfiltration Over C2 Channel

Exfiltration

T1134

Access Token Manipulation

Privilege Escalation

Notable Operations

◆Operation Cloud Hopper - global MSP compromise (2016–2017)
◆ANEL and PlugX malware deployments
◆US, UK, Australia, Canada, Japan advisory (2018)
◆Targeted 45+ companies across 12 countries via single MSP campaign

Defenses

▸
Third-party and MSP access segmentation and least-privilege
CIS Control 6 ↗
▸
MFA enforcement on all remote access including vendor accounts
NIST SP 800-63B ↗
▸
Supply chain risk management program
NIST CSF: ID.SC ↗
▸
Behavioral anomaly detection on privileged accounts
NIST CSF: DE.AE ↗

Reversed: Their Weakness

Cloud Hopper's exposure came when security researchers noticed identical malware families and C2 infrastructure across seemingly unrelated victim networks - the pattern of the MSP pivot, once seen, could not be unseen.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Storm Next →The Tidal Current

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.