Recorded Future has released a report on the investigation of a cyberespionage campaign conducted by a state-sponsored threat actor towards US and European companies last year. The report commends Visma's security work and transparency in the aftermath of the investigation and highlights the importance of industry collaboration in preventing cybercrime.
The report is a summary of an investigation of a sustained cyberespionage campaign conducted by Chinese state-sponsored threat actor, APT10, targeting at least three companies in the United States and Europe uncovered by Recorded Future and Rapid7 between November 2017 and September 2018.
Visma was identified as one of the targeted companies and was first warned of the attack by their own intelligence systems. Visma correlated the intelligence from Rapid 7 against their internal alerts and mitigated the threat. They soon confirmed that none of their clients' systems were affected.
"We have several teams of security professionals in Visma that use efficient systems and methods to protect our systems from being breached. Through the existing security programs, coordinated response of our security teams and good advice from our partners, we were able to prevent client data from being compromised," said Espen Johansen, Operations and Security Manager in Visma.
While mitigating the threat, Visma contacted Recorded Future to dig deeper into the incident, gather additional intelligence and ensure proper attribution.
The Visma Corporate Security Incident Response Team (Visma CSIRT) worked closely with their Product Security Operations Center (PSOC), NSM NorCERT, as well as the police throughout the process.
In this case, no client data was compromised, and Visma chose not to issue a general alert before they had conclusive evidence on who performed the theft.
Visma has transparency as a carrying principle for their business and will publish data on nation-state and criminal attacks against them both now and in the future. Sharing information contributes to public awareness of these matters and can motivate other organisations to do the same.
Johansen is careful to specify the importance of collaborating with the police, and encourages other organisations who suspect being the victim of similar attacks to follow the same example:
"As a general rule, we always report cyber attacks to the police – it is our responsibility as a corporation and our responsibility towards our clients. We are very thankful for the guidance and advice from NSM NorCERT, Police ( PST ), and other cooperating parties in this case. We urge all organisations to explore the opportunities that are available in CERT cooperation."
For more details, read the full report from Recorded Future.For more information, please contact: