The Five Eyes intelligence alliance has warned of increased cyberattacks specifically targeting Managed Services Providers. Pulling from the Record:
The agencies from the U.S., U.K., Australia, Canada, and New Zealand said to “expect state-sponsored advanced persistent threat (APT) groups and other malicious cyber actors to increase their targeting of MSPs against both provider and customer networks.”
On Wednesday, the government agencies said that they are “aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.” The alert does not refer to any specific incidents.
In scary wording for customers, MSPs were described as “launch pads to breach their customers’ networks, which we see are often compromised through ransomware attacks, business email compromises, and other methods.”
And also of note, the notice urged MSP customers to make sure their contractual arrangements specify that their MSP implements the measures and controls in the advisory, which included implementing mitigation resources to protect initial compromise attack methods from vulnerable devices, internet-facing services, brute force, and password spraying, and phishing.
The MSP focused recommendations are:
- Finding and disabling dormant accounts.
- Implementing and enforcing multifactor authentication on accounts.
- Ensuring contracts map out who owns and is responsible for securing data.
Why do we care?
What wasn’t said is what we care about – why now? What are those referenced reports?
There’s nothing specific here that hasn’t been saying before. However, from a messaging perspective, saying it repeatedly helps ensure that the public hears it.
And that’s what I’ve been pondering. IT providers live in that world of unrecognized labor – you’re noticed when things go wrong. In a market where tech is losing public confidence generally, how large is the space of those with active distrust of the moniker MSP? That’s a moniker that the industry has already lost control of and now is codified in law. Previously, there would be two camps – those that have worked with an MSP and those unaware of them. Now, there’s a non-zero space for those with a negative impression of the space.
I’m not saying it’s massive. I’m just noting that the messaging heard broadly is negative for attack vectors and launchpads for breaches, and it’s certainly not zero and likely to grow.
And what if it’s the savviest end of the market – the customers paying attention?

