Story image

Norwegian security firm thwarts state-sponsored attack by APT10

11 Feb 2019

Norwegian cybersecurity firm Visma is accusing a Chinese state-sponsored attack group (APT10) of allegedly attacking their systems and engaging in cyberespionage.

Visma, in partnership with fellow security firms Recorded Future and Rapid7, investigated a cyberespionage campaign that targeted organisations in the United States and Europe between November 2017 and September 2018.

One of the targeted companies was Visma itself, as well as a US law firm and an international apparel company. Visma’s own intelligence systems warned the company that it was about to be attacked.

The attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials,” Recorded Future explains.

“The attackers then enumerated access and conducted privilege escalation on the victim networks, utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver Trochilus malware.”

While the firm mitigated the threat and no systems were affected in the attack, the company says that in the name of transparency, it must share information about the attack.

APT10, also known as Stone Panda, menuPass, and CVNX, is a group with ties to Chinese state-sponsored threat actors. It has been operating since at least 2009 and is thought to be associated with the Chinese Ministry of State Security, according to Recorded Future.

"We have several teams of security professionals in Visma that use efficient systems and methods to protect our systems from being breached. Through the existing security programs, coordinated response of our security teams and good advice from our partners, we were able to prevent client data from being compromised," comments Visma operations and security manager, Espen Johansen.

Visma worked with Recorded Future to conduct further analysis on the origin of the attacks, gather intelligence, and ensure correct attribution.

Visma’s Corporate Security Incident Response Team also worked with its Product Security Operations Center, NSM NorCERT, and police. 

“In this case, no client data was compromised, and Visma chose not to issue a general alert before they had conclusive evidence on who performed the theft,” the company says.

The company also believes that sharing information on attacks contributes to public awareness and motivates other companies to do the same.

"As a general rule, we always report cyber attacks to the police – it is our responsibility as a corporation and our responsibility towards our clients. We are very thankful for the guidance and advice from NSM NorCERT, Police (PST), and other cooperating parties in this case,” says Johansen.

“We urge all organisations to explore the opportunities that are available in CERT cooperation.”

Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.