Cyber Incident Victim: Visma
Date:
Feb 2019
Location:
Norway
Summary
Hackers associated with Chinese intelligence breached a Norwegian software firm's network using stolen credentials to target client secrets as part of the Cloudhopper campaign. The attackers, identified as APT10, aimed to exploit the company's access to infiltrate customer systems for commercially sensitive information, but early detection prevented secondary compromises. Security researchers attributed the operation to China's Ministry of State Security, highlighting risks to supply chains through service provider vulnerabilities. The incident underscored threats to organizations via third-party breaches, though the firm confirmed no client networks were accessed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2019, Norwegian software firm Visma disclosed a cyber intrusion by hackers linked to China’s Ministry of State Security, identified as part of the broader Cloudhopper campaign targeting technology service providers to access client data. Investigators from Recorded Future and Rapid7 attributed the attack to APT 10, a group Western officials associate with Chinese intelligence operations. The breach occurred when attackers used stolen login credentials to infiltrate Visma’s network, aiming to position themselves for secondary operations against its clients. Visma, which reported $1.3 billion in annual revenue and served over 900,000 businesses across Scandinavia and Europe, detected the intrusion shortly after the initial compromise. Company executives emphasized that no client networks were breached due to early detection, though they acknowledged the attack’s potential severity. The incident aligned with a pattern of Cloudhopper activity first documented by cybersecurity firms and governments since 2017, which Reuters had previously connected to breaches at Hewlett Packard Enterprise and IBM. U.S. authorities had charged two alleged APT 10 operatives in December 2018 for global intellectual property theft on behalf of Chinese intelligence.
Visma’s security team, led by Operations and Security Manager Espen Johansen, contained the breach before attackers could pivot to client systems, preventing data exfiltration. The company publicly disclosed the incident to highlight supply-chain risks, with Johansen noting that service providers like Visma are high-value targets for nation-states seeking centralized access to multiple organizations. Britain’s National Cyber Security Centre cited the case as emblematic of escalating threats to supply chains as attackers circumvent hardened corporate defenses. Recorded Future’s analysis confirmed the hackers’ intent to leverage Visma’s network for client-focused espionage rather than stealing Visma’s own intellectual property. While the attack did not result in confirmed data loss or client impacts, it underscored the operational sophistication of state-sponsored groups exploiting trusted vendor relationships. Visma’s collaboration with external investigators provided actionable intelligence on APT 10’s tactics, though the company declined to identify specific clients potentially at risk. China’s government consistently denied involvement in cyber espionage operations despite Western allegations and indictments.