Chinese threat actor, also known as Stone Panda, infiltrated European SaaS and cloud services giant looking to pilfer data from clients
The Chinese hackers best known for the Cloudhopper series of attacks on global managed service providers targeted Norwegian cloud software provider Visma in an effort to steal corporate secrets from clients, according to information gleaned by incident investigators for Recorded Future and Rapid 7 and confirmed by Visma officials.
The Lowdown: The attacks took place between November 2017 and September 2018 and appear to have been thwarted by Visma’s security team before any client systems were compromised. Visma, which had $1.3 billion in annual revenue last year and serves more than 850,000 customers worldwide, took the unusual step this week of confirming the hack, saying they wanted to contribute to public awareness of such attacks and motivate other organizations to share information about them.
The Details: According to researchers at Recorded Future and Rapid 7, the attackers gained access to Visma’s network using stolen user credentials for Citrix and LogMeIn remote-access tools, then leveraged DLL sideloading to deliver remote-access malware. The attackers ultimately compressed and exfiltrated Visma files to a Dropbox account.
The Impact: Active since at least 2008, APT10 beginning in 2016 conducted a series of attacks known as “Operation Cloudhopper” against 45 MSPs and other companies in 12 countries, including the United States. The attacks are purpose-built to take advantage of the trusted access MSPs have to their clients’ networks, and the threat actor is believed to have stolen intellectual property from hundreds of corporations worldwide.
Background: Security experts have been warning of the danger of APT10 for more than two years, as the list of compromised organizations — which reportedly includes the managed service units of giants IBM and HPE — continues to grow.
In December, the U.S. Justice Department charged two alleged members of APT10 with hacking businesses and U.S. government agencies to steal intellectual property on behalf of China’s Ministry of State Security.
The Buzz: “We have several teams of security professionals in Visma that use efficient systems and methods to protect our systems from being breached,” said Espen Johansen, operations and security manager at Visma in Olso, Norway. “Through the existing security programs, coordinated response of our security teams, and good advice from our partners, we were able to prevent client data from being compromised.
“As a general rule, we always report cyberattacks to the police – it is our responsibility as a corporation and our responsibility towards our clients,” Johansen added. “We are very thankful for the guidance and advice from NSM NorCERT, police, and other cooperating parties in this case. We urge all organizations to explore the opportunities that are available in CERT cooperation.”
“We believe APT10 is the most significant Chinese state-sponsored cyberthreat to global corporations known to date,” Recorded Future researchers wrote in a blog post detailing the attack on Visma and two other unnamed organizations. “On top of the breadth, volume, and targets of attacks that APT10 has conducted since at least 2016, we now know that these operations are being run by the Chinese intelligence agency, the Ministry of State Security.”