The VGCA website’s software installers were hacked with a backdoor, signaling the start of similar attacks in future within the region.

Earlier this month, the website of the Vietnam Government Certification Authority (VGCA) was attacked, wherein hackers modified two of the software installers available for download on the website by adding a backdoor to compromises users.

This kind of attack on the supply chain appears to be a quite common compromise vector for cyberespionage groups such as SignSight, which leverages malware known as PhantomNet or Smanager.

According to Matthieu Faou, one of the researchers from cybersecurity solutions firm ESET investigating the incident: “In Vietnam, digital signatures are very common as digitally-signed documents have the same level of enforceability as wet signatures. In addition to issuing certificates, the VGCA develops and distributes a digital signature toolkit. It is used by the Vietnamese government, and probably by private companies, to sign digital documents. The compromise of a certification authority website is a good opportunity for APT groups, since visitors are likely to have a high level of trust in a state organization responsible for digital signatures.”

The PhantomNet backdoor is able to collect information (computer name, hostname, username, OS version, user privileges [admin or not], and the public IP address) as well as install, remove and update malicious plugins. These additional and more complex plugins are probably only deployed on a few selected machines. By also installing the legitimate program, the attackers make sure that this compromise would not be easily noticed by end users.

Researchers involved had notified the compromised organization and the country’s computer emergency response team. The VGCA had then confirmed that they were aware of the attack before ESET’s notification, and that they had already informed users that had downloaded the trojanized software. The website had apparently ceased delivering compromised software installers at the end of August 2020.

In addition to Vietnam, some Philippines users had also been affected.