PwC collaborates with public and private sector partners to uncover new sustained global cyber espionage campaign

Published at 18:04 PM on 03 April 2017

  • The close working collaboration between private sector companies and UK’s National Cyber Security Centre led to identifying and disrupting new cyber attack campaign
  • Systemic cyber breaches demonstrate new level and maturity of targeted attacks against the supply chain, compromising outsourced IT service providers to gain widespread access to thousands of organisations
  • A hacking group has conducted one of the most prolific espionage campaigns since APT1 in 2013, employing new tactics to reach a broad audience

PwC’s cyber security practice has worked closely with BAE Systems and other members of the security community, along with the UK’s National Cyber Security Centre (NCSC), to uncover and disrupt what is thought to be one of the largest ever sustained global cyber espionage campaigns.

Since late 2016, when the scale of the espionage campaign became increasingly apparent, PwC and BAE Systems, through their membership of the Cyber Incident Response (CIR) scheme, shared their research into the campaign with NCSC, which has notified affected communities.

PwC and BAE Systems believe the hacking group widely known as ‘APT10’ conducted the espionage campaign, by targeting providers of managed outsourced IT services as a way in to their customers’ organisations around the world, gaining unprecedented access to intellectual property and sensitive data. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage. The sheer scale of the operation was only uncovered through collaboration, and is still only likely to reflect a small portion of APT10’s global operations.

Richard Horne, cyber security partner at PwC, commented:

“The future of cyber defence lies beyond simple intelligence sharing, but in forging true collaboration between organisations in the public and private sector with the deep technical and innovative skills required to combat this type of threat. This operation has demonstrated the importance of the recently established National Cyber Security Centre, set up for moments just like this. Operating alone, none of us would have joined the dots to uncover this new campaign of indirect attacks. Together we’ve been working to brief the global security community, managed service providers and known end victims to help prevent, detect and respond to these attacks.

“New forms of attack require new ways of working to defend our society. Close working collaboration is key.”

APT10 campaign key findings

  • We have seen APT10 targeting managed service provider networks from 2016 onwards, and it is likely that this activity had begun as early as 2014
  • APT10 has significantly increased its scale and capability since early 2016, adding new developers and intrusion operators to continually enhance their capability
  • APT10 focuses on espionage activity, targeting intellectual property and other sensitive data from a wide range of sectors and countries. The group is known to have exfiltrated a high volume of data from multiple victims and used compromised networks to stealthily move this data around the world
  • A number of Japanese organisations have also been targeted directly in a separate, simultaneous campaign by the same group, with APT10 masquerading as legitimate Japanese government entities to gain access

Kris McConkey, partner, cyber threat detection and response at PwC, who will present on the findings of this joint research today at the Kaspersky Security Analyst Summit in St. Maarten, added:

“The indirect approach of this attack highlights the need for organisations to have a comprehensive view of the threats they’re exposed to – including those of their supply chain. Alongside our research work, we have also notified the threat intelligence community and worked with the NCSC to notify managed service providers and known victims.

“This is a global campaign with the potential to affect a wide range of countries, so organisations around the world should work with their security teams and providers to check networks for the key warning signs of compromise and ensure they respond and protect themselves accordingly.”


Notes for editors.

For more information, please contact Felicity Main: [email protected] / +44 (0)7841 467 421

For advice on protecting your organisation, please contact PwC’s Incident Response team


About PwC

At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 208,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at

PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see for further details. © 2016 PwC. All rights reserved

« UK pension fund deficit falls to £500bn, according to PwC’s Skyval Index | Homepage | The PwC Sage Impact Centre launches »

  • Contact us
  • +44 (0) 20 7213 1768

Specific and out of hours contacts