UPDATED: Just days after Norway’s police intelligence agency warned of cyberattacks carried out by hackers in Russia and China, large Norwegian data firm Visma confirmed it had been the target of such an attack. US investigators believe it came from China.
The first indication of the attack came September 4, Oslo-based Visma’s security chief Espen Johansen told newspaper Dagens Næringsliv (DN). The company disclosed the attack on Wednesday, with Johansen claiming the company quickly controlled it and that none of its clients’ systems were affected. Johansen stressed on Visma’s own website that the company has “several teams of security professionals” that were “able to prevent client data from being compromised.”
Hackers nonetheless had managed to steal internal encrypted passwords for “some Visma employees,” Johansen told Norwegian Broadcasting (NRK). He told DN in more detail that the hackers had initially obtained the user name and password of one Visma employee and could thus log into Visma’s system. After that, he told DN, the hackers gained access to and stole the user names and passwords of nearly all of Visma’s roughly 8,500 employees, but they were encrypted. It would have taken time to go further with them.
Since the attack was considered to be “advanced,” Visma hired in specialists from the US firm Recorded Future to investigate it, along with reporting the attack to Norwegian police and intelligence authorities. They concluded that the hackers worked for the Chinese intelligence agency, the Ministry of State Security (MSS), after linking them to a “Chinese state-sponsored threat actor, APT10,” also known as “Stone Panda.” Recorded Future “analyzed the intrusion” along with another US company, Rapid7, and “assessed” that the “cyberespionage campaign” was “conducted by … APT10.” They published their findings on Recorded Future’s website (external link to their report).
Reported Future believes the attack on Visma, which handles the financial accounts and payment systems for a wide range of commercial businesses and organizations around the world, believes the attack was part of a large, coordinated attack from China against several western countries. The investigators believe the Chinese APT10 “likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks,” not Visma itself.
Example of PST’s warning
The attack also targeted an unidentified international clothing company and a US law firm with clients in the pharmaceutical, technology, electronics, biomedical and automotive service sectors. It’s an example of what Norway’s police intelligence agency PST (Politiets Sikkerhetstjeneste) warned about in its annual threat assessment on Monday.
PST chief Benedicte Bjørnland noted that Norway can be especially vulnerable to cyber attacks because it’s one of the most digitalized societies in the world. Norwegian Broadcasting (NRK) reported Wednesday evening that the hackers were trying to gain access to business secrets and possibly pricing of Visma’s customers.
No comment from Chinese officials
Chinese authorities have repeatedly denied they have been involved in any cyber espionage. The Chinese Embassy in Oslo sent out a strongly worded statement after PST’s press briefing of its threat assessment on Monday, denying China had ever been involved in cyber attacks. It also mocked PST and suggested the Norwegian intelligence could become a “laughing stock” if it doesn’t manage provide proof of alleged Chinese attacks.
Chinese authorities were also upset that PST had warned Norwegian companies against doing business with the Chinese technology giant Huawei, precisely because it could become extremely familiar with Norway’s emerging 5G telecoms network and be forced to pass on information under the guise of Chinese national security.
NRK reported that the Chinese Embassy in Oslo refused to respond to requests for comment on the Visma case Wednesday, and there were no new statements on its website as of Wednesday night.
Openness praised and encouraged
Visma was being hailed by technology experts for being open about its attack, even though its confirmation came almost five months later. “Norwegian authorities have said for years that they wish more Norwegian companies would talk about attacks or incidents they’ve had,” Per Thorsheim, technology security chief for Nordic Choice Hotels, told NRK. “Their experience can be very useful for other companies.”
Thorsheim thinks there’s all reason to believe that the attack on Visma was an example of industrial espionage. Hackers and those paying them want insight into business plans, budgets and accounts, he said, along with information about new products and services. “That’s classic industrial espionage,” he told NRK.
Norway’s national security authority NSM was also made aware of the attack on Visma. Mona Strøm Arnøy, communications director for NSM, said it’s important that companies are open about such attacks, and that NSM hopes Visma’s openness can help others recognize how vulnerable they can be.
Visma said it chose not to issue a general alert until it had “conclusive evidence” of who carried out the attack. Johansen, Visma’s operations and security manager, said the company “as a general rule … always reports cyber attacks to the police. It’s our responsibility as a corporation and our responsibility towards our clients.” He said Visma as grateful for the help it had received and urges others to “explore the opportunities” available in national and international CERT (Computer Emergency Response Team) cooperation.