China accused of cyber attacks on Norwegian IT systems

Norway has linked a series of cyber attacks against state and private IT infrastructure in 2018 to “bad actors” operating from China.

Based on technical and other evidence gathered by its central intelligence agencies, the Norwegian government blamed bad actors sponsored and operating from China for the serious cyber attack against state administration centres (SACs) in 2018.

The follow-up investigation led by Norway’s national security agency, the PST (Politiets Sikkerhetstjeneste), also concluded that the same “international threat actors” were responsible for both the cyber hacks against the SACs and a sustained malware attack against business software group Visma the same year.

The PST’s investigation, now closed, raised concerns that the cyber hackers who attacked the SAC’s major IT hubs in Oslo and Viken attempted to capture classified information relating to Norway’s national defence and security intelligence.

PST analysis did not conclusively establish whether the attackers succeeded in capturing classified information, but based on digital traces left by the hackers, the agency believes it is unlikely that classified data was seized. The PST was also unable to identify a digital evidence trail that would explain the primary motive for the attack on SAC IT networks.   

The SAC IT systems penetrated by the hackers are used by a large number of state departments and government agencies across Norway.

Based on the PST’s probe and technical findings, the information seized from the SAC IT network is believed to have included usernames and passwords associated with administrative employees working at various state offices, including departments dealing with defence, national security and state emergency preparedness.

“The similarity in methods, when applied to the use of malware, tools and digital infrastructure, means that we consider it probable that the same player that was behind the attack on the state administration offices is the same as the threat actor that attacked Visma,” the PTS said in a statement.

The evidence trail left by the attack on the SAC IT network points to China, said Hanne Blomberg, head of counter-intelligence at the PST.

“In this specific case, we have intelligence information that points in a clear direction towards the threat actor APT31 as being behind the attack against state administration IT networks. APT31 is a player we associate as being linked with China’s intelligence services,” said Blomberg.

The APT31 group is suspected of involvement in a series of cyber attacks against IT networks in Europe and the US since 2016.

In the Nordic countries, APT31 has been linked to the attacks that breached the internal IT security systems of Finland’s national parliament (the Eduskunta) in 2020. The attack, which was disclosed in December 2020, resulted in hackers gaining access to the email accounts of members of parliament and senior civil servants.

As regards the SAC breach in Norway, the first internal security alerts were raised after hackers penetrated computer systems operated by the County Governor Offices (CGOs) in Aust-Agder and Vest-Agder. Hackers then used the IT systems as a gateway to access the computer systems of CGOs in Hedmark, Oslo and Akershus. At that point, the attackers were able to access a CGO IT system that is shared with state administration offices across the country.

“The state administration centres handle a broad array of information, ranging from person-sensitive medical records to information on national security, including on defence and emergency preparedness,” said Blomberg.

APT31 has earned a global reputation for using phishing attacks to trick employees of private and public organisations to provide usernames and passwords, said Erik Alexander Løkken, head of managed security services at Mnemonic.

“Hackers can capture usernames and passwords to enable them to log on to VPN-type systems,” he said. “The more advanced state digital threat actors spend a lot of time mapping organisations that they target for attack. APT31 is known to use backdoor software that has the ability to upload data to well-known file-sharing services such as Dropbox, Microsoft OneDrive and other similar file-hosting service platforms.”

The deepening relationship between state and private players in Norway’s cyber security domain saw Mnemonic reach an information exchange cooperation deal with the National Cyber Crime Centre (NC3) in June. The arrangement is intended to bolster the cyber crime combat and prevention capabilities of the NC3, which operates under the Norwegian National Criminal Investigation Service.

Despite its suspicions that the APT31, or other bad actors in China, launched the 2018 attacks, the PST decided to close the investigation because of a lack of concrete evidence, said Kathrine Tonstad, a senior lawyer with the agency.

“This was an advanced and professional cyber attack against computer systems,” she said. “It was executed in a highly sophisticated manner. As is often the case in these situations, it can be difficult to follow the tracks when they traverse many countries. Therefore, it is difficult to prove with a high degree of certainty who lies behind it. We do not have enough evidence to allow us to pursue the investigation any further under our criminal law statutes.”

Norway’s central intelligence services also suspect that threat actors in China were behind a cyber attack against the Storting’s (national parliament) IT system on 10 March 2021. Ine Eriksen Søreide, Norway’s foreign minister, accused China-sponsored threat actors for launching the attack, which penetrated the Storting’s email system. China has denied any involvement.

“We hold China responsible for the computer attack,” said Søreide. “This is based on intelligence by countries affected and the digital traces the attack left. Chinese authorities have a duty to ensure that this type of activity does not take place on their territory. Our intelligence information is that this computer attack was carried out from China.”

Cyber experts tasked with investigating the data breach found that hackers had exploited vulnerabilities in the Storting’s email system, in particular security weaknesses relating to the parliament’s Microsoft Exchange email server. The cyber strike against the Storting was part of a much wider attack on computer systems worldwide that exploited flaws in Microsoft Exchange Server email software.