Norwegian security firm thwarts state-sponsored attack by APT10
Norwegian cybersecurity firm Visma is accusing a Chinese state-sponsored attack group (APT10) of allegedly attacking their systems and engaging in cyberespionage.
Visma, in partnership with fellow security firms Recorded Future and Rapid7, investigated a cyberespionage campaign that targeted organisations in the United States and Europe between November 2017 and September 2018.
One of the targeted companies was Visma itself, as well as a US law firm and an international apparel company. Visma’s own intelligence systems warned the company that it was about to be attacked.
The attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials,” Recorded Future explains.
“The attackers then enumerated access and conducted privilege escalation on the victim networks, utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver Trochilus malware.”
While the firm mitigated the threat and no systems were affected in the attack, the company says that in the name of transparency, it must share information about the attack.
APT10, also known as Stone Panda, menuPass, and CVNX, is a group with ties to Chinese state-sponsored threat actors. It has been operating since at least 2009 and is thought to be associated with the Chinese Ministry of State Security, according to Recorded Future.
"We have several teams of security professionals in Visma that use efficient systems and methods to protect our systems from being breached. Through the existing security programs, coordinated response of our security teams and good advice from our partners, we were able to prevent client data from being compromised," comments Visma operations and security manager, Espen Johansen.
Visma worked with Recorded Future to conduct further analysis on the origin of the attacks, gather intelligence, and ensure correct attribution.
Visma’s Corporate Security Incident Response Team also worked with its Product Security Operations Center, NSM NorCERT, and police.
“In this case, no client data was compromised, and Visma chose not to issue a general alert before they had conclusive evidence on who performed the theft,” the company says.
The company also believes that sharing information on attacks contributes to public awareness and motivates other companies to do the same.
"As a general rule, we always report cyber attacks to the police – it is our responsibility as a corporation and our responsibility towards our clients. We are very thankful for the guidance and advice from NSM NorCERT, Police (PST), and other cooperating parties in this case,” says Johansen.
“We urge all organisations to explore the opportunities that are available in CERT cooperation.”