Norway blames China-linked APT31 for 2018 government hack

Norway police secret service states said that China-linked APT31 group was behind the 2018 cyberattack on the government’s IT network.

Norway’s Police Security Service (PST) said that the China-linked APT31 cyberespionage group was behind the attack that breached the government’s IT network in 2018.

The attribution of the attack to the APT31 grouo is based on the results of the investigation conducted by the Norwegian intelligence.

The threat actors gained administrative rights then used them to access centralized computer systems used by all state administration offices in the country and exfiltrate data. 

The head of counterintelligence at the PST told Norwegian Broadcasting (NRK) that they discovered who is behind the attack.

“In this specific case, we have intelligence information that points in a clear direction towards the actor APT31 being behind the operation against the state administration” head of counterintelligence Hanne Blomberg at the PST told the channel.

The agency has yet to fully determine what information was stolen by the hackers, but the investigation suggests that employees’ credentials for various states might have been exposed.

“The investigation has revealed that the actor has succeeded in acquiring administrator rights that have given access to centralized computer systems used by all state administration offices in the country.“ reads the statement published by the Norwegian intelligence agency.

“The actor also succeeded in transferring some data from the offices’ systems. No reliable technical findings have been made of what information was transferred, but the investigation shows that there were probably usernames and passwords associated with employees in various state administration offices. The investigation has not revealed any circumstances that indicate that the actor gained access to security-graded information at the relevant offices.”

The PST has found no evidence that the threat actors exfiltrated security-graded information.

APT31 (aka Zirconium) is a China-linked APT group that was involved in multiple cyber espionage operations, it made the headlines recently after Check Point Research team discovered that the group used a tool dubbed Jian, which is a clone of NSA Equation Group ‘s “EpMe” hacking tool, years before it was leaked online by Shadow Brokers hackers.

APT31 is also believed to be behind an attack on the Parliament of Finland that took place in 2020, according to the government experts, the hackers breached some parliament email accounts in December 2020.

In an e-mail sent to NRK, the Chinese Embassy in Norway condemned the PST’s claims and accuses PST of acting “irresponsibly.”

“China has never participated in or supported anyone in cyber attacks, and has always resolutely opposed and cracked down on such behavior. We are strongly opposed to the unfounded accusations against China.” reads the email sent by Chinese Embassy in Norway

“PST admitted in the interview that it is difficult to trace the source of the cyber attack, and the evidence is insufficient. It is very irresponsible to spread accusations of “assumption of guilt” without presenting clear evidence “.

The PST also blames the APT31 group for the attack on the Norwegian cloud service provider Visma AG that took place in the summer of 2018.

This is the first time that the Norwegian government blames China-linked APT groups for a cyber attack, in October Norway ‘s government blamed Russia for the cyberattack that targeted the email system of the country’s parliament this summer.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT31)

[adrotate banner=”5″]

[adrotate banner=”13″]