Advanced Persistent Threat group linked to China said to be attacking companies by targeting their suppliers - scale of operation said to be unprecedented . A Chinese hacking group is thought to be behind attacks on managed service providers as a way into their client companies , to facilitate the theft of intellectual property . The hacking group , called APT10 , used custom malware and spear-phishing attacks Attack.Phishing to gain access to victims ' systems . Once inside , they used the company 's credentials to attack their client companies . The security of the supply chain has been a recognised weakness in security systems since at least 2013 when it was discovered that attackers had gained access to the Target retail chain in America through an HVAC service provider . Now it appears that APT10 is using that approach on a large scale . The group was discovered by PwC 's cyber-security practice and BAE Systems , working alongside the UK 's National Cyber Security Centre ( NCSC ) . The scale of the espionage campaign only became apparent in late 2016 , but the attack is thought to be the largest sustained global cyber-espionage campaign ever seen . PwC and BAE Systems said APT10 conducted the espionage campaign by targeting providers of managed outsourced IT services as a way in to their customers ' organisations around the world , gaining unprecedented access Attack.Databreach to intellectual property and sensitive data . It is thought the group launched the campaign in 2014 and then significantly ramped it up in early 2016 , adding new developers and intrusion operators to continually enhance capability . The group is known to have exfiltrated Attack.Databreach a high volume of data from multiple victims and used compromised networks to stealthily move this data around the world . A number of Japanese organisations have also been targeted directly in a separate , simultaneous campaign by the same group , with APT10 masquerading as Attack.Phishing legitimate Japanese government entities to gain access . Forensic analysis of the timings of the attack , as well as tools and techniques used , led investigators to conclude that the group may be based in China , but apart from that , it is not known precisely who is behind APT10 or why it targets certain organisations . Kris McConkey , partner for cyber-threat detection and response at PwC , said that the indirect approach of this attack highlights the need for organisations to have a comprehensive view of the threats they 're exposed to – including those of their supply chain . “ This is a global campaign with the potential to affect a wide range of countries , so organisations around the world should work with their security teams and providers to check networks for the key warning signs of compromise and ensure they respond and protect themselves accordingly , ” he said . Richard Horne , cyber-security partner at PwC , added that “ operating alone , none of us would have joined the dots to uncover this new campaign of indirect attacks . “ Together we 've been working to brief the global security community , managed service providers and known end victims to help prevent , detect and respond to these attacks , ” he added . Ilia Kolochenko , CEO of High-Tech Bridge , told SC Media UK that until there is more detail on the attacks , it would not be possible to make a reliable conclusion as to who was behind the so-called APT10 . “ Taking into consideration how careless and negligent some managed IT providers are , I would n't be surprised if all the attacks were conducted by a group of teenagers – something we have already seen in the past , ” he said . “ IT services providers should better enumerate and assess their digital risks , and implement appropriate security controls to mitigate related threats and vulnerabilities . Security standards , like ISO 27001 , can significantly help assure that the risks are continuously identified and are being duly addressed . For cyber-security service providers , accreditation by CREST is also an important factor to demonstrate the necessary standard of care around security , confidentiality and integrity for their own and client data , ” he added . “ Companies looking to secure their supply-chain can oblige their suppliers to get certified by ISO 27001 for example , or to provide solid and unconditional insurance to cover any data breaches Attack.Databreach and data leaks Attack.Databreach , including direct and consequent damages . ''