A group of mysterious hackers have carried out a clever attack on the supply chain against Vietnamese private companies and government agencies by inserting malicious software into an official government software tool.
The attack, discovered by security firm ESET and detailed in a report called “Operation SignSight”, targeted at the Vietnam Government Certification Authority (VGCA), the government organization that issues digital certificates that can be used for electronic signing of official documents.
Every Vietnamese citizen, private company and even other authority wishing to submit files to the Vietnamese government must sign their documents with a VGCA compliant digital certificate.
VGCA not only issues these digital certificates, but also provides ready-made and user-friendly “client taps” that citizens, private companies and governments can install on computers and automate the process of signing a document.
But ESET says that hackers once this year broke into the agency’s website ca.gov.vn, and installed malicious software in two of the VGCA client apps offered for download on the site.
The two files were 32-bit (gca01-client-v2-x32-8.3.msi) and 64-bit (gca01-client-v2-x64-8.3.msi) client taps for Windows users.
ESET says that between July 23 and August 5 this year, the two files contained a backdoor trojan called PhantomNet, also known as Smanager.
Malware was not very complicated, but was just a wireframe for more potent plugins, researchers said.
Known plug-ins included the functionality to retrieve proxy settings to bypass corporate firewalls and the ability to download and run other (malicious) apps.
The security company believes the back door was used for reconnaissance before a more complex attack on selected targets.
ESET researchers said they notified VGCA earlier this month, but that the agency had already known about the attack before the contact.
On the day ESET published its report, VGCA also formally admitted the security breach and published a guide on how users could remove malicious software from their systems.
PantomNet victims also discovered in the Philippines
ESET said it also found victims infected with PhantomNet backdoor in the Philippines, but could not say how these users became infected. Another delivery mechanism is suspected.
The Slovak security firm did not formally attribute the attack to a specific group, but previous reports linked PhatomNet (Smanager) malware to Chinese state-sponsored cyber espionage activity.
The VGCA incident marks the fifth major attack in the supply chain this year after:
- SolarWinds – Russian hackers compromised the update mechanism of the SolarWinds Orion app and infected the internal networks of thousands of companies over the glove with Sunburst malware.
- Able Desktop – Chinese hackers have compromised the update mechanism of a chat app used by hundreds of Mongolian authorities.
- GoldenSpy – A Chinese bank had forced foreign companies operating in China to install a tax software software tool.
- Wizvera VeraPort – North Korean hackers compromised the Wizvera VeraPort system to deliver malicious software to South Korean users.