Norway's Visma the latest cloud computing company targeted by China-linked APT10 hacking group
Cloud companies targeted by group linked to China's security services as part of long-running 'Operation Cloudhopper'
Members of hacking group APT10, who are believed to work for Chinese intelligence agencies, have been accused of infiltrating the network of Norwegian cloud computing company Visma.
In a joint report by security specialists Recorded Future and Rapid7, the group has been accused of stealing confidential trade secrets from Visma clients.
The attack took place on 17th August 2018, and is thought to be part of what Western countries described last December as a global hacking campaign by Chinese Ministry of State Security to steal corporate secrets.
According to Visma, its IT security staff detected the intrusion promptly. Although the incident did not affect any of Visma's clients' systems, it "could have been catastrophic" had it not been identified early.
"We have several teams of security professionals in Visma that use efficient systems and methods to protect our systems from being breached.
"Through the existing security programmes, coordinated response of our security teams and good advice from our partners, we were able to prevent client data from being compromised," said Espen Johansen, operations and security manager at Visma.
Visma is one of the largest cloud service providers in Europe. The firm offers online HR, accounting, and other software to over 900,000 customers across Scandinavia and other regions of Europe. The firm earned net revenue of over $1 billion in 2017.
By intruding Visma's network, hackers tried to gain access to hundreds of corporations across the world.
They used stolen valid user credentials for a Citrix remote-access software client to penetrate Visma's internal network. Visma employees use the software to gain access to the company's internal network.
After gaining access to the network, hackers installed two malware strains - the Uppercut (Anel) backdoor and the Trochilus remote access Trojan - to search and steal data from Visma's systems.
APT10 is thought to be one of the most significant Chinese state-sponsored cyber-security threats to global businesses. Based on the targets and volume of attacks by APT10, experts claim that the group's operations are supported by the China's intelligence agencies.
According to Rapid7, APT10 also hacked the network of a US law firm in late 2017 and an international clothing brand in early 2018.
The attacks are believed to be a part of a global hacking campaign, codenamed Operation Cloudhopper, that started in 2017 and mainly targets cloud service providers.
In December, the US Department of Justice (DoJ) charged two Chinese nationals for attempted hacks against NASA, the US Navy, and several cloud providers. The DoJ claimed that these individuals were members of APT10 group.
The investigators said that the APT10 attacks started in 2006, with hackers using spear-phishing to gather confidential information from employees of different companies. After gaining access, the hackers planted malware on corporate networks and stole large amounts of intellectual property.