Supply chain attack carried out against government agencies in Vietnam
A group of hackers attacked the government certification authority in Vietnam and used its PKI to their advantage
Ami Rojkes Dombe
| 31/12/2020
Photo: Bigstock
A supply chain attack against private Vietnamese companies and government agencies was carried out by a mysterious group of hackers who inserted malware into an official toolkit of government software. The attack discovered by security firm ESET and detailed in a report named "Operation SignSight" was focused on the Vietnam Government Certification Authority (VGCA), the government organization that issues digital certificates that can be used to electronically sign official documents.
Every Vietnamese citizen, private company, and even government agency interested in submitting files to the Vietnamese government must sign their documents with a VGCA-compatible digital certificate. The VGCA doesn't only issue these digital certificates, but also provides ready-made and user-friendly "client apps" that citizens, private companies, and government workers can install on their computers and automate the process of signing a document.
Researchers said that the malware wasn't very complex but was merely a framework for more potent plugins, researchers said. These plugins included the functionality to retrieve proxy settings in order to bypass corporate firewalls and the ability to download and run other (malicious) apps. The security firm believes the backdoor was used for reconnaissance prior to a more complex attack against selected targets.
The data was breached over the encrypted HTTPS protocol, with the group making use of SSL pinning. This type of mechanism enables the group to keep the traffic route encrypted and relatively resistant to man-in-the-middle attacks. Dynamic DNS providers were also used.
A group of hackers attacked the government certification authority in Vietnam and used its PKI to their advantage
Photo: Bigstock
A supply chain attack against private Vietnamese companies and government agencies was carried out by a mysterious group of hackers who inserted malware into an official toolkit of government software. The attack discovered by security firm ESET and detailed in a report named "Operation SignSight" was focused on the Vietnam Government Certification Authority (VGCA), the government organization that issues digital certificates that can be used to electronically sign official documents.
Every Vietnamese citizen, private company, and even government agency interested in submitting files to the Vietnamese government must sign their documents with a VGCA-compatible digital certificate. The VGCA doesn't only issue these digital certificates, but also provides ready-made and user-friendly "client apps" that citizens, private companies, and government workers can install on their computers and automate the process of signing a document.
Researchers said that the malware wasn't very complex but was merely a framework for more potent plugins, researchers said. These plugins included the functionality to retrieve proxy settings in order to bypass corporate firewalls and the ability to download and run other (malicious) apps. The security firm believes the backdoor was used for reconnaissance prior to a more complex attack against selected targets.
The data was breached over the encrypted HTTPS protocol, with the group making use of SSL pinning. This type of mechanism enables the group to keep the traffic route encrypted and relatively resistant to man-in-the-middle attacks. Dynamic DNS providers were also used.
