Cloud software provider ‘Visma’ of Norway hacked by hacking group APT10

Hacking group called APT10, who were believed to be working for the Chinese intelligence agencies, hacked and then stolen data from a Norwegian company called Visma. Visma provides the cloud-based business software solutions to the European companies.

The intrusion on Visma's network occurred on Aug. 17, 2018, as per the joint report published by the US cyber-security firms Recorded Future and Rapid7. As per the report, hackers backed by the Chinese government breached Visma's internal network by using the stolen valid credentials of user for Citrix remote-access software client, which are used by the employees of Visma for accessing the internal network of the company.

Once the hackers gain access of the network, they installed 2 malware strains - Trochilus remote access Trojan and Uppercut (Anel) backdoor - in order to search and then steal data from the systems of Visma.

Visma formally admitted about the hack on February 6, 2019, in a statement that was published on their website. As per the Norwegian company, their IT security staff has detected the intrusion quickly. Although this incident didn't affect any of the clients' systems of Visma, it "could have been catastrophic" if not identified early.

Espen Johansen, security and operations manager at Visma, said that "we have several teams of security professionals in Visma that use efficient systems and methods to protect our systems from being breached. Through the existing security programmes, coordinated response of our security teams and good advice from our partners, we were able to prevent client data from being compromised".

One of the Europe's largest cloud-based MSP (Managed Service Providers) is Visma. The firm provides online HR, accounting, as well as other software to more than 900,000 customers across the Scandinavia and other European regions.

By intruding the network of Visma, the hackers attempted gaining access to several hundreds of corporations all over the world.

Moreover, Rapid7 identified various other APT10 hacks also on the basis of data gathered during Visma incident response. The experts said that APT10 also breached a law firm of US in late 2017 that help the Chinese companies to enter US market, and one international apparel company in early 2018. All these attacks were supposed to be a part of global hacking campaign, i.e. codenamed as Operation Cloudhopper, which started in the year 2017 and mainly targeted the cloud service providers.

» SPAMfighter News - 3/22/2019