The Oslo-based technology and financial services firm Visma, which has disclosed a hacker attack on its systems last fall, is urging all companies and organizations to constantly check all their logs and systems for any signs of intrusion. Visma believes that its early discovery of its own intrusion played a critical role in fending off damage and protecting its clients.
“We discovered (the hackers) quickly and they didn’t get more than a day or two, max, before we had cleaned them out,” Johansen told newspaper Dagens Næringsliv (DN) on Thursday. “We saw later that they tried to log in again, but didn’t manage to.”
Visma hired US data security firm Recorded Future to “dig deeper” into the attack on it that was discovered and halted in September 2018. It’s believed to be part of what’s been called the “Cloudhopper” attacks that began in November 2017 and may have hit as many as 45 companies in 12 countries.
Recorded Future, working with another technology security firm Rapid7, probed the attack on Visma, which says its own security and response teams worked closely with both Recorded Future, Rapid7, Norway’s national security authority NSM’s NorCERT and Norway’s police intelligence service PST “throughout the process.”
The investigation into the Visma has since concluded that the attack, “based on technical data uncovered,” was carried out by “a Chinese state-sponsored threat actor, APT10,” also known as Stone Panda, menuPass and CVNX, “in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage.”
Johansen claims it’s “utterly essential ” to catch hackers early, to prevent them from having more time inside a system. In Visma’s case, its encryption of all employee passwords blocked the hackers, who didn’t get the time they needed to hack their way beyond them. “The biggest problem with such players (hackers), is when they get enough time on the inside without being discovered,” Johansen told DN.
Visma opted to go public with its attack (external link to Visma’s report) and has made public the investigative report into its attack (external link to Recorded Future’s report) as well. “We chose to go out with this because we believe openness is the only thing that’s useful if we’re going to fight back,” Johansen told DN. “How can we learn (about cyber attacks) if we don’t talk about them?”
He went so far as to refer to companies or institutions that opt against going public as “chickens,” adding that “the more you share, the more you learn.”
Praised the authorities
Johansen praised both PST, which warned earlier this week about cyber attacks from several countries including China, and NSM for their help during the investigation. He also urged that all attacks be reported to police, calling PST “extremely competent” in its anti-cyber-attack work.
Chinese officials have repeatedly denied having anything to do with cyber attacks but had no immediate comment on the Visma attack. Gunnar Bjørkavåg, former chief executive of DN‘s parent company NHST who now leads Visma’s board of directors, told DN that Visma had noted a “strong increase” in hacker attacks the past two years and had “invested a lot” in its security at all levels.
Bjørkavåg, however, didn’t appear as convinced as Visma’s own announcement of its attack would imply that Chinese hackers are to blame. “We are taking under consideration the results from the probing efforts that have taken place,” he told DN. “At the same time there is uncertainty over who concretely was behind it.”
DN also reported on Thursday that among Recorded Future’s own earliest investors are ventures backed by Google and the US Central Intelligence Agency (CIA), including In-Q-Tel. The US is currently embroiled in a trade war with China, and Chinese officials could predictably question Recorded Future’s findings.
Recorded Future, meanwhile, insists that it operates entirely independently and that no authorities own or steer its operations. It called In-Q-Tel an “independent private entity” that primarily serves US authorities, but claimed its support for Recorded Future is limited to venture financing and that no information is shared with authorities unless court orders are in place.
Recorded Future remains convinced that APT10 is the most significant, state-supported Chinese threat at present. Johansen of Visma recommended that “everyone” read its reports about the attack on Visma, see how the hackers operated “and check if they see any indicators in their own systems and logs.” He stressed that Visma is “only one of frightfully many companies” that have or can come under attack.