Skip to main content

Global targeting of enterprises via managed service providers

Global targeting of enterprises via managed service providers

Key points

Managed Service Providers have been targeted in a global cyber campaign since at least mid-2016. This includes some companies that also operate in Australia.

  • Clients of these Managed Service Providers in both the public and the private sector could be affected.
  • We have no evidence at this stage to suggest the general public or small to medium enterprises are being targeted.
  • The Australian Cyber Security Centre is working with international partners and the private sector to establish the scale and impact on Australia.
  • The compromises identified to date likely represent only a small proportion of the activity.
  • Australian companies using Managed Service Providers are encouraged to contact their service provider to discuss risks.


The Australian Cyber Security Centre is aware of an ongoing malicious cyber campaign targeting Managed Service Providers internationally. Some of those companies operate in Australia. The centre has been working with international partners and affected companies to establish the scale of the activity and impact on Australia.

Cooperation between government and the private sector is critical to tackling cyber threats to Australia. Reporting of suspected activity will assist in understanding the nature and scope of the compromises.

The threat

Australia remains a target of malicious cyber activity. The Australian Cyber Security Centre's 2016 Threat Report highlighted an increase in secondary targeting – cyber actors attempting to gain access to information or an organisation through its supply chain relationship with another organisation.

A Managed Service Provider provides ICT infrastructure services to client organisations. This could include security services and specialised advice or equipment through to remotely managing networks and data storage on a client's behalf. The clients, which could be in the public or private sector, are potentially the ultimate targets of the compromises.

Identifying malicious activity

The cyber actor has used widely-known intrusion tools in a sustained malicious cyber campaign targeting major international Managed Service Providers. The Australian Cyber Security Centre has provided information to government agencies and CERT Australia's industry partners to be able to recognise the malicious activity and take steps to mitigate it. There is also significant public information, including indicators of compromise, for this malicious cyber activity and the actors associated – generally known as APT10.

Engaging your Managed Service Provider

If you have concerns, in the first instance you should contact your Managed Service Provider and discuss their response to the publicised intrusions, including whether and how you might have been affected. We have strongly encouraged affected Managed Service Providers to identify whether any of their clients have been compromised and work closely with them.

Our primary concern is ensuring the right measures are in place to protect Managed Service Providers and their customers' organisations. You should encourage your Managed Service Provider to engage closely with ASD and CERT Australia through the Australian Cyber Security Centre.

ASD has also developed broader guidance with practical questions to ask Managed Service Providers to ensure the security of ICT services they deliver to your organisation.

Good cyber security practices

More broadly, the Australian Cyber Security Centre recommends all organisations take steps to protect themselves online – the Australian Signals Directorate's Strategies to Mitigate Cyber Security Incidents, including the Essential Eight actions all businesses should adopt as their minimum cyber security baseline.


Should any evidence of this activity be identified, organisations are urged to contact the Australian Cyber Security Centre on 1300 CYBER1 (1300 292 371) or email CERT Australia for advice and assistance prior to taking any remediation action. 1300 CYBER1 should not be used for general enquiries or media interest.

All media enquiries should be directed to