Chinese intelligence hacked Norwegian software firm Visma to steal client secrets, investigators say

Hackers working on behalf of Chinese intelligence breached the network of Norwegian software firm Visma to steal secrets from its clients, cybersecurity researchers said, in what a company executive described as a potentially catastrophic attack.

The attack was part of what Western countries said in December was a global hacking campaign by China’s Ministry of State Security to steal intellectual property and corporate secrets, according to investigators at cybersecurity firm Recorded Future.

China’s Ministry of State Security has no publicly available contacts. The foreign ministry did not respond to a request for comment, but Beijing has repeatedly denied any involvement in cyber-enabled spying.

Visma took the decision to talk publicly about the breach to raise industry awareness about the hacking campaign, which is known as Cloudhopper and targets technology service and software providers to reach their clients.

The revelations on Tuesday came after the Norwegian police intelligence agency PST, in its annual security evaluation, accused the Chinese government of stealing information from Norway’s cyber domain through technology provided by Chinese telecom tech giant Huawei. The Chinese embassy in Oslo called the claims “ridiculous”.

Cybersecurity firms and Western governments have warned about Cloudhopper several times since 2017 but have not disclosed the identities of the companies affected.

Reuters reported in December that Hewlett Packard Enterprise and IBM were two of the campaign’s victims, and Western officials caution in private that there are many more.

China and Norway face off over ‘ridiculous’ claims Beijing is using Huawei to spy on Scandinavian host

At the time IBM said it had no evidence sensitive corporate data had been compromised, and Hewlett Packard Enterprise said it could not comment on the Cloudhopper campaign.

Visma, which reported global revenues of US$1.3 billion last year, provides business software products to more than 900,000 companies across Scandinavia and parts of Europe.

The company’s operations and security manager, Espen Johansen, said the attack was detected shortly after the hackers accessed Visma’s systems and he was confident no client networks were accessed.

“But if I put on my paranoia hat, this could have been catastrophic,” he said. “If you are a big intelligence agency somewhere in the world and you want to harvest as much information as possible, you of course go for the convergence points, it’s a given fact.”

“I’m aware that we do have clients which are very interesting for nation states,” he said, declining to name any specific customers.

Paul Chichester, director for operations at Britain’s National Cyber Security Centre, said the Visma case highlighted the dangers organisations increasingly faced from cyberattacks on their supply chains.

“Because organisations are focused on improving their own cybersecurity, we are seeing an increase in activity targeting supply chains as actors try to find other ways in,” he said.

In a report, Recorded Future said the attackers first accessed Visma’s network by using a stolen set of login credentials and were operating as part of a hacking group known as APT 10, which Western officials say is behind the Cloudhopper campaign.

The US Department of Justice in December charged two alleged members of APT 10 with hacking US government agencies and dozens of businesses around the world on behalf of China’s Ministry of State Security.

Denmark expels two Huawei workers over work permits, as Norway warns of espionage risk

Priscilla Moriuchi, director of strategic threat development at Recorded Future and a former intelligence officer at the US National Security Agency, said the hackers’ activity inside Visma’s network suggested they intended to infiltrate client systems in search of commercially sensitive information.

“We believe that APT 10 in this case exploited Visma networks to enable secondary operations against Visma’s customers, not necessarily to steal Visma’s own intellectual property,” she said.

“Because they caught it so early they were able to discourage and prevent those secondary attacks.”