China-based state-sponsored hackers compromised an unnamed certificate authority and several government and defense agencies in several Asian countries. In at least one instance a large number of machines on the network belonging to a government agency were breached, according to the Broadcom’s Symantec threat hunter team.
“The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic,” Symantec said, adding that they found no evidence that the threat actors were successful in compromising digital certificates.
Known as Billbug, Lotus Blossom, or Thrip, the group has been active since at least 2009 and is known to focus on targets in Asian countries.
“The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns,” Symantec researchers wrote. “Billbug also appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past.”
In the latest campaign, which has been ongoing since March 2022, the attackers gained initial access to victims’ networks by exploiting public-facing applications. The attackers also used multiple dual-use tools like AdFind, Certutil, and PortScanner, as well as the custom Hannotog and Sagerunex backdoors that were seen in the past Billbug’s campaigns.
“While we do not see data being exfiltrated in this campaign, Billbug is widely regarded as being an espionage actor, indicating that data theft is the most likely motivation in this campaign. The victims in this campaign – government agencies and a certificate authority – also point to an espionage and data-theft motive. The targeting of the government victims is most likely driven by espionage motivations, with the certificate authority likely targeted in order to steal legitimate digital certificates,” Symantec said.