China hacked Norway’s Visma cloud software provider
A Chinese nation-state hacking group known as APT10 has hacked and stolen data from Visma, a Norwegian company that provides cloud-based business software solutions for European companies.
The intrusion into Visma’s network took place on August 17, 2018, according to a joint report published today by US cyber-security firms Rapid7 and Recorded Future.
According to the report, Chinese government-backed hackers breached the company’s internal network by using stolen valid user credentials for a Citrix remote-access software client that Visma employees were using to access the company’s internal network.
Once the hackers were in, they deployed two malware strains –the Trochilus remote access trojan and the Uppercut (Anel) backdoor– to search, gather, and exfiltrate Visma’s data.
The Norwegian company formally admitted to the hack, today, in a statement published on its website. The company said that hackers only stole internal Visma data, and that “none of their clients’ systems were affected.”
Recorded Future and Rapid7 believe that the intrusion was detected in its early stages before APT10 hackers could abuse the stolen data to escalate infections to Visma customers by backdooring or abusing Visma’s cloud software to get a foothold on customers’ internal networks.
Visma also said the intrusion was identified by their own intelligence systems, confirmed and correlated with data from Rapid7, and investigated further with the help of Recorded Future.
Visma is one of Europe’s largest cloud-based managed service providers (MSP), with over 850,000 customers and net revenue of over $1 billion (2017).
Two other companies also hacked
Rapid7 also identified other APT10 hacks based on the data gathered during the Visma incident response. Experts said that the same Chinese hacking group also breached a US law firm that helps Chinese companies enter the US market (late 2017), and an international apparel company (early 2018).
These hacks are part of a larger APT10 hacking spree that began in 2017 and targeted companies all over the world, but mainly cloud providers.
US government authorities and the private cyber-security sector have been warning about this hacking spree –which they codenamed Operation Cloudhopper– since 2017.
In December 2018, the US Department of Justice charged two Chinese nationals they believed were part of APT10 for hacks at 45 US companies and numerous others in eleven other countries.
At least nine cloud providers are believed to have been hacked. At the time of writing, we now know the names of three –IBM, HPE, and, now, Visma.
Australia, Canada, Japan, New Zealand, the US, and the UK had all formally accused and condemned China’s hacking spree, although, the Beijing government denied all accusations.