BRATISLAVA, MONTREAL – December 17, 2020 – ESET Research discovered another supply-chain attack in Asia, this time on the website of the Vietnam Government Certification Authority (VGCA). The attackers modified two of the software installers available for download on this website by adding a backdoor in order to compromise users of the legitimate application. Supply-chain attacks appear to be a quite common compromise vector for cyberespionage groups. Cybercrime operation SignSight leverages malware known as PhantomNet or Smanager.
“In Vietnam, digital signatures are very common, as digitally signed documents have the same level of enforceability as wet signatures. In addition to issuing certificates, the VGCA develops and distributes a digital signature toolkit. It is used by the Vietnamese government, and probably by private companies, to sign digital documents. The compromise of a certification authority website is a good opportunity for APT groups, since visitors are likely to have a high level of trust in a state organization responsible for digital signatures,” explains Matthieu Faou, one of ESET’s researchers investigating the SignSight operation.
The PhantomNet backdoor is quite simple and is able to collect victim information (computer name, hostname, username, OS version, user privileges [admin or not], and the public IP address) as well as install, remove and update malicious plugins. These additional and more complex plugins are probably only deployed on a few selected machines. By also installing the legitimate program, the attackers make sure that this compromise won’t be easily noticed by end users.
ESET researchers uncovered this new supply-chain attack in early December 2020 and notified the compromised organization and the VNCERT. We believe that the website ceased delivering compromised software installers at the end of August 2020. The Vietnam Government Certification Authority confirmed that they were aware of the attack before our notification and that they notified the users who downloaded the trojanized software.
ESET has seen victims in the Philippines in addition to Vietnam.
For more technical details about operation SignSight, read the blog post “Operation SignSight: Supply- chain attack against a certification authority in Southeast Asia” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.