Norway’s police intelligence agency PST has, for the first time, declared that it has traced a major hacking attack on Norwegian county officials in 2018 to China. The intelligence agency is going public after also feeling forced to drop the case, because it would be difficult to prosecute in court.
“We have, in this concrete case, intelligence information that clearly points to a player known as APT31 as being behind the operation,” Hanne Blomberg, chief of counter intelligence at PST, told Norwegian Broadcasting (NRK) on Thursday.
Blomberg identified APT31 as a “player that we connect to China’s intelligence agency.” It’s more widely known as a hacker group that also has launched attacks in Finland and the US along with Norway and other countries. The goal is often to steal information that can help Chinese companies and China’s own technological development, or to obtain information about other countries’ defense or preparedness.
The attack in the summer of 2018 targeted county governor offices now called statsforvaltere, usually led by top politicians appointed as the monarch’s representatives around Norway in regions known as fylker. Such offices in Oslo and Viken, the large region surrounding Oslo, were directly affected.
‘Quite certain about this’
Blomberg told NRK that PST (Politiets sikkerhetstjeneste) gathers information in order to evaluate threats against Norway and ward them off. It also conducts research and investigations, but the intelligence that links the attacks to China probably couldn’t be used in a criminal court case, not least because it’s classified.
“That’s the challenge of being an intelligence agency,” Blomberg said. “We often have classified information that we may have gathered ourselves and can’t declassify. We can have sources that we want to protect, or we can have received information from intelligence agencies with whom we cooperate that we can’t use in a court case.”
In this case, she said, “we have information that’s concrete and points to APT31, and we’re quite certain about that,” she added.
She described the attack in 2018 as “thorough and advanced.” The hackers first gained entry to the data systems of what was then called the Fylkesmannen in Aust- and Vest-Agder in southern Norway. From there they managed to infiltrate systems of similar administrative offices in the former Hedmark County (now part of Innland County) and those in Oslo and Akershus. From there they attacked systems over the entire country and managed to retrieve information, the nature of which was not revealed.
‘Reason for concern’
PST launched an investigation to find out whether the attack was espionage aimed at stealing state secrets. The offices targeted handle various types of sensitive information, both of a personal character like medical data, and tied to national security. That can in turn include information tied to defense and preparedness, for example, prosecutor Kathrine Tonstad in PST told NRK.
“That’s why there was reason for concern, and the reason that PST carried out its investigation,” Tonstad said. “We can see that the attacker has gained access to data and stolen some of it. We think they have stolen user names and passwords to employees of the regional administrative offices.”
Erik Alexander Løkken of the Norwegian security firm Mnemonic told NRK that APT31 is “known for using email to lure targets into unwittingly sharing their user names and passwords.” Then they use that to log into remote systems like those enabling use of home offices. “APT,” he said, stands for Advanced Persistent Threat.
APT31 is also known as Judgement Panda, Zirconium and Bronze Vinewood. NRK reported that in international security circles, APT31 is viewed as being managed by China’s own department of state security MSS (Ministry of State Security).
NRK reported that it sought comment from China’s embassy in Oslo but had not received a response as of Thursday afternoon.