Six weeks after the U.S. Department of Justice indicted two Chinese nationals over their role in the hacking group APT10, security researchers have detailed a campaign from the group that targeted systems in the U.S. and Norway.

Detailed today in a report written by researchers at Recorded Future Inc. and Rapid7 Inc., the APT10 “sustained campaign” ran between November 2017 and September 2018.

The campaign targeted Norwegian managed services provider Visma Software AS as well as an international apparel company and an American law firm that specializes in intellectual property law. The unnamed IP law firm is said to have clients in the pharmaceutical, tech, biomedical and automotive industries.

In all three cases, the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials. Once they got access, the hackers elevated their privileges before using “DLL sideloading” techniques to deliver malware.

The malware used is described as a newly discovered version of the Trochilus remote access trojan. Trochilus, first detected in 2015, was described at the time as designed to be used in cyberespionage operations.

Just how many people and companies were affected by the APT10 hacks is not known. Visma is a billion-dollar Norwegian software company that claims to have 850,000 customers around the world, meaning that any number of those customers could have been the target.

“We believe APT10 is the most significant Chinese state-sponsored cyber threat to global corporations known to date,” the researchers wrote. “On top of the breadth, volume, and targets of attacks that APT10 has conducted since at least 2016, we now know that these operations are being run by the Chinese intelligence agency, the Ministry of State Security.”

The state-sponsored angle is notable because these attacks are not designed to raise money through extortion but to steal intellectual property. Previous attacks by the group have covered a diverse array of commercial activity, industries and technologies as well as government agencies, including the National Aeronautics and Space Administration.

Image: Recorded Future