Image: TH Chia
A group of mysterious hackers carried out a clever attack on the supply chain against private Vietnamese companies and government agencies, inserting malware into an official government software toolkit.
Special feature
Cyber war and the future of cybersecurity
Today’s security threats have increased in scope and seriousness. There may now be millions – or even billions – of dollars at risk when information security is not addressed properly.
Read More
The attack, discovered by security company ESET and detailed in a report called “Operation SignSight”, targeted the Certification Authority of the Government of Vietnam (VGCA), the government organization that issues digital certificates that can be used to sign electronically official documents.
Any Vietnamese citizen, private company and even another government agency that wants to send files to the Vietnamese government must sign their documents with a VGCA-compliant digital certificate.
VGCA not only issues these digital certificates, but also provides ready-to-use, “client applications” that citizens, private companies and government officials can install on their computers and automate the process of signing a document.
But ESET says that sometime this year, hackers broke into the agency’s website, located in ca.gov.vnand inserted malware into two of the VGCA client applications offered for download on the site.
The two files were 32-bit (gca01-client-v2-x32-8.3.msi) and 64 bits (gca01-client-v2-x64-8.3.msi) client applications for Windows users.
ESET says that between July 23 and August 5 of this year, the two files contained a backdoor trojan called PhantomNet, also known as Smanager.
The malware was not very complex, but just a wireframe for more powerful plug-ins, the researchers said.
Known plug-ins include the functionality to retrieve proxy settings to bypass corporate firewalls and the ability to download and run other (malicious) applications.
The security firm believes that the back door was used for reconnaissance before a more complex attack on selected targets.
ESET researchers said they notified the VGCA earlier this month, but that the agency already knew about the attack before it was contacted.
On the day that ESET published its report, the VGCA also formally admitted the security breach and published a tutorial on how users can remove malware from their systems.
PantomNet victims also discovered in the Philippines
ESET said it also found victims infected with the PhantomNet backdoor in the Philippines, but was unable to say how those users were infected. Another delivery mechanism is suspected.
The Slovak security company did not formally attribute the attack to any particular group, but previous reports linked PhatomNet (Smanager) malware to Chinese state-sponsored cyber espionage activities.
The VGCA incident marks the fifth major attack on the supply chain this year, after:
- SolarWinds – Russian hackers compromised the SolarWinds Orion application update mechanism and infected the internal networks of thousands of companies with Sunburst malware.
- Able Desktop – Chinese hackers have compromised the mechanism for updating a chat application used by hundreds of Mongolian government agencies.
- GoldenSpy – A Chinese bank had been forcing foreign companies operating in China to install a backdoor fiscal software toolkit.
- Wizvera VeraPort – North Korean hackers have compromised the Wizvera VeraPort system to deliver malware to South Korean users.