A sustained cyberespionage campaign targeting at least three companies in the United States and Europe was uncovered by Recorded Future and Rapid7 between November 2017 and September 2018. Based on the technical data uncovered, and in light of recent disclosures by the U.S. Department of Justice on the ongoing activities of Chinese state-sponsored threat actors, we assess with high confidence that these incidents were conducted by APT10 (also known as Stone Panda, menuPass, CVNX) in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage.
The targeted companies included:
- IT and business cloud services managed service provider (MSP) and Recorded Future client and supplier, Visma, a billion-dollar Norwegian company with at least 850,000 customers globally
- An international apparel company
- A U.S. law firm with strong experience in intellectual property law with clients in the pharmaceutical, technology, electronics, biomedical, and automotive sectors, among others
In all three incidents, the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials.
Source: Recorded Future