A Chinese nation-state hacking group known as APT10 has hacked and stolen data from Visma, a Norwegian software firm that provides cloud-based business software solutions for European countries, according to cybersecurity researchers.
Investigators at Recorded Future and Rapid7 said in their report that the APT10 ‘sustained campaign’ occurred between November 2017 and September 2018, and was publicly disclosed on Wednesday (Feb.6th).
In their joint report, researchers revealed that APT10 targeted Visma as well as an international apparel company and an American law firm that specialises in intellectual property law.
The unidentified law firm supposedly has clients in the pharmaceutical, technology, electronics, biomedical, and automotive sectors.
In all three cases, APT10 managed to infiltrate their networks by using Citrix and LogMeIn remote-access software using stolen valid credentials. Once the hackers were in, the hackers elevated their privilege before using DLL “sideloading techniques” to deliver malware.
During the Visma attack, APT10 deployed a Trochilus remote access Trojan with “command and control (C2) communications encrypted using both RC4 and Salsa20 streaming ciphers rather than the typically observed RC4 variant”, the report says.
Meanwhile, the other two networks were infected with a “unique version of the UPPERCUT (ANEL) backdoor, known to have only been used by APT10”.
Run by China’s Ministry of State Security intelligence agency, APT10 is well known in the world of cybersecurity, especially when it comes to targeting Managed Service Provider (MSP) businesses.
Operation Cloud Hopper
In 2017, the group was found to be targeting MSPs, in an attack campaign called Operation Cloud Hopper. APT10 allegedly orchestrated cyber espionage attacks against MSPs in 15 countries, including the US, UK, Canada, Finland, Norway, and Sweden France, Switzerland, Japan, Thailand, and Brazil.
“Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds, if not thousands, of corporations around the world,” the report states. “We assess that APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks, and not of stealing Visma intellectual property.”
In December of last year, the US charged two Chinese state-sponsored hackers, Zhu Hua and Zhang Shillong, for breaking into American networks and stealing trade secrets and confidential information.
“We believe APT10 is the most significant Chinese state-sponsored cyber threat to global corporations known to date,” the researchers wrote. “On top of the breadth, volume, and targets of attacks that APT10 has conducted since at least 2016, we now know that these operations are being run by the Chinese intelligence agency, the Ministry of State Security.”