APT31, a threat actor believed to be working on behalf of the Chinese government, was behind the breach of the Norway government’s IT network in 2018, according to Hanne Blomberg, the head of counterintelligence at the Norwegian Police Intelligence Service (PST).

“In this specific case, we have intelligence information that points in a clear direction towards the actor APT31 being behind the operation against the state administration,” Blomberg told the state television network NRK.

“APT31 is a player that we associate with Chinese intelligence services,” she added.

In a statement released last week, the PST said the investigation into the hack conducted by the Norwegian intelligence revealed that the threat actor obtained “administrator rights that have given access to centralized computer systems used by all state administration offices in the country. The actor also succeeded in transferring some data from the offices' systems.”

The agency has yet to fully determine what information was stolen by the hackers, but the investigation suggests that employees’ credentials for various state administration offices might have been stolen. There is no evidence that the attackers extracted classified information or “personal sensitive information related to citizens,” the PST said.

The agency also said the same group also hacked Norwegian cloud service provider Visma AG in the summer of 2018.

APT31 (aka Zirconium, Judgement Panda, Bronze Vinewood) is believed to be a Chinese state-sponsored cyber espionage group focused primarily on obtaining information that can provide political, economic, and military advantages to the Chinese government and state-owned enterprises. Active since at least 2013, APT31 conducts mainly intellectual property theft and espionage operations using a range of tools and techniques to infect target systems, steal credentials, and move laterally within a compromised network.