A group of mysterious hackers has carried out a clever supply chain attack against Vietnamese private companies and government agencies by inserting malware inside an official government software toolkit.
The attack, discovered by security firm ESET and detailed in a report named “Operation SignSight,” targeted the Vietnam Government Certification Authority (VGCA), the government organization that issues digital certificates that can be used to electronically sign official documents.
Any Vietnamese citizen, private company, and even other government agency that wants to submit files to the Vietnamese government must sign their documents with a VGCA-compatible digital certificate.
The VGCA doesn’t only issue these digital certificates but also provides ready-made and user-friendly “client apps” that citizens, private companies, and government workers can install on their computers and automate the process of signing a document.
But ESET says that sometime this year, hackers broke into the agency’s website, located at ca.gov.vn, and inserted malware inside two of the VGCA client apps offered for download on the site.
The two files were 32-bit (gca01-client-v2-x32-8.3.msi) and 64-bit (gca01-client-v2-x64-8.3.msi) client apps for Windows users.
ESET says that between July 23 and August 5, this year, the two files contained a backdoor trojan named PhantomNet, also known as Smanager.
The malware wasn’t very complex but was merely a wireframe for more potent plugins, researchers said.
Known plugins included the functionality to retrieve proxy settings in order to bypass corporate firewalls and the ability to download and run other (malicious) apps.
The security firm believes the backdoor was used for reconnaissance prior to a more complex attack against selected targets.
ESET researchers said they notified the VGCA earlier this month but that the agency had already known of the attack prior to its contact.
On the day ESET published its report, the VGCA also formally admitted to the security breach and published a tutorial on how users could remove the malware from their systems.
PantomNet victims also discovered in the Philippines
ESET said that it also found victims infected with the PhantomNet backdoor in the Philippines but was unable to say how these users got infected. Another delivery mechanism is suspected.
The Slovak security firm didn’t formally attribute the attack to any particular group, but previous reports linked the PhatomNet (Smanager) malware to Chinese state-sponsored cyber-espionage activities.
The VGCA incident marks the fifth major supply chain attack this year after the likes of:
- SolarWinds – Russian hackers compromised the update mechanism of the SolarWinds Orion app and infected the internal networks of thousands of companies across the glove with the Sunburst malware.
- Able Desktop – Chinese hackers have compromised the update mechanism of a chat app used by hundreds of Mongolian government agencies.
- GoldenSpy – A Chinese bank had been forcing foreign companies activating in China to install a backdoored tax software toolkit.
- Wizvera VeraPort – North Korean hackers compromised the Wizvera VeraPort system to deliver malware to South Korean users.