Image: TH Chia
A group of mysterious hackers have carried out a clever attack chain attack on Vietnamese private enterprises and government agencies by placing malware in an official software toolkit.
Special feature
Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and severity. Millions – or even billions – of dollars could now be at risk if information security is not handled properly.
Read more
The attack, which was discovered by the security firm ESET and set out in a report entitled “Operation SignSight”, was aimed at the Vietnam Government Government Certification Authority (VGCA), the government organization that issues digital certificates that can be used to make official to sign documents electronically.
Any Vietnamese citizen, private company and even other government agencies wishing to submit files to the Vietnamese government must sign their documents with a VGCA compliant digital certificate.
The VGCA not only issues these digital certificates, but also offers ready-made user-friendly ‘client apps’ that citizens, private enterprises and government workers can install on their computers and automate the signing process of a document.
But ESET says that hackers somewhere at the agency’s website this year, too ca.gov.vn, and malware inserted into two of the VGCA client programs that can be downloaded from the site.
The two files were 32-bit (gca01-client-v2-x32-8.3.msi) and 64-bit (gca01-client-v2-x64-8.3.msi) client programs for Windows users.
ESET says the two files contain a backdoor trojan between July 23 and August 5 this year PhantomNet, also known as Smanager.
The malware was not very complex, but was merely a wireframe for more powerful plugins, researchers said.
Known plugins included the features to fetch proxy settings to bypass corporate firewalls and the ability to download and run other (malicious) programs.
The security firm believes the back door was used for reconnaissance before a more complex attack on selected targets.
ESET researchers said they notified the VGCA earlier this month, but that the agency already knew about the attack before contacting it.
On the day that ESET published its report, the VGCA also formally acknowledged that security had been violated and a manual was published on how users could remove the malware from their systems.
PantomNet victims were also discovered in the Philippines
ESET said it also infected PhantomNet backdoor victims in the Philippines, but could not say how these users were infected. Another delivery mechanism is suspected.
The Slovak security firm did not formally attribute the attack to a specific group, but previous reports linked the PhatomNet (Smanager) malware to Chinese state-sponsored cyber-spying activities.
The VGCA incident is the fifth major attack in the supply chain this year, as:
- SolarWinds – Russian hackers have compromised the SolarWinds Orion app update mechanism, infecting the internal networks of thousands of companies with the Sunburst malware.
- Able Desktop – Chinese hackers have compromised the update mechanism of a chat program used by hundreds of Mongolian government agencies.
- GoldenSpy – A Chinese bank has forced foreign companies operating in China to install a toolkit for a tax door software.
- Wizvera VeraPort – North Korean hackers have compromised the Wizvera VeraPort system to deliver malware to South Korean users.