After SolarWinds Data Breach in US, Vietnam Targeted in Similar Supply-Chain Cyberattack

Suspected Chinese hackers infected two Vietnamese government digital certificate client apps with PhantomNet malware to create a backdoor.

Earlier this month alarm bells rang in the US after an IT management software provider SolarWinds found a massive breach in its network. Alleged Russian hackers managed to invade the network and stay hidden for nearly nine months before trojanizing an update to get into its clients' networks. The massive hack had over a dozen US government agencies breached beside private companies like Cisco and Microsoft.

Now, Vietnam is under a similar supply-chain attack, compromising government agencies and private companies. According to cybersecurity researchers, the unknown hackers were able to deploy malware inside a government software toolkit. The supply-chain attack was discovered by Slovak cybersecurity and antivirus firm ESET and named "Operation SignSight".

The cyberattacks targeted Vietnam Government Certification Authority (VGCA), an agency responsible for issuing digital certificates needed to digitally sign official documents. According to ESET, the hackers invaded the agency's website (ca.gov.vn) and deployed a malware named PhantomNet in two VGCA Windows client apps (32-bit and 64-bit) between July and August this year.

Vietnam
Vietnam government agencies and private companies were targeted by suspected Chinese hackers in a supply-chain attack Pixabay

Compromising VGCA

In Vietnam, a digital signature gets the same level of credibility and enforceability as the conventional wet signatures. Hence it is a popular method of submitting documents to the government. To make it easier to sign digitally, the VGCA also provides client software that everyone can use. Hacker modified and trojanized the client apps.

While none of the Vietnamese government agencies that were targeted by the malware reported any data breaches, researchers said that the backdoor might have been created for a future attack. As many government agencies, private companies and citizens use the client software, the malware could have been deployed as part of a reconnaissance mission before a more complex future cyberattack.

The researchers said that the malware wasn't complex. Rather, it was a wireframe for potent plugins that could retrieve proxy settings and bypass corporate firewalls. It could also download and run malicious apps.

VGCA website
Hackers placed PhantomNet malware inside the VGCA digital certificate clients (32-bit and 64-bit) ESET

"With the compromise of Able Desktop, the attack on WIZVERA VeraPort by Lazarus and the recent supply-chain attack on SolarWinds Orion, we see that supply-chain attacks are a quite common compromise vector for cyberespionage groups. In this specific case, they compromised the website of a Vietnamese certificate authority, in which users are likely to have a high level of trust," the researchers added.

Is Chinese Hacker Group Behind the Attack?

The PhantomNet malware, also known as Smanager, was also used to infect victims in the Philippines. The hackers created backdoors but ESET could not verify the delivery mechanism in the country. While ESET didn't attribute the Vietnam hack to any particular group, PhantomNet had been previously used by Chinese state-backed espionage groups. VinCSS cybersecurity group attributed the supply-chain attack in Vietnam to the state-backed China Panda hacker group.

MosaicRegressor malware
Alleged state-backed China Panda had previously used PhantomNet or Smanager malware in cyberespionage (representational image) Pixabay

As ESET informed the VGCA about the infected versions of the software present on the website, the agency said that it had already noticed the attack and had taken action. Both the client software have been taken down and replaced with official clean versions. However, with the attempt in Vietnam, such supply-chain attacks are on the rise. In 2020 alone, there have been five supply-chain attacks, ZDNet reported. ESET said such attacks are difficult to detect as the malware could hide inside legitimate software without being noticed.

"Supply-chain attacks are typically hard to find, as the malicious code is generally hidden among a lot of legitimate code, making its discovery significantly more difficult," ESET researchers said.

Related topics : Cybersecurity
READ MORE