Recent reports reveal a sophisticated supply-chain attack targeting the Vietnam Government Certification Authority (VGCA). This breach involved the manipulation of the agency’s digital signature toolkit, allowing hackers to implant a backdoor into affected systems.
The incident was brought to light by Slovak cybersecurity firm ESET, which identified the assault, referred to as the “SignSight” attack. By corrupting software installers available on the VGCA’s website, the attackers embedded a spyware tool known as PhantomNet or Smanager.
According to telemetry data from ESET, the breach occurred between July 23 and August 16, 2020. The compromised software packages, identified as “gca01-client-v2-x32-8.3.msi” and “gca01-client-v2-x64-8.3.msi,” were altered to include malicious code for both 32-bit and 64-bit Windows environments.
ESET’s Matthieu Faou emphasized the risk associated with compromising a certification authority’s website, noting that users typically hold high trust in state organizations tasked with managing digital signatures. Following the discovery, VGCA confirmed they were aware of the attack prior to ESET’s notification and had alerted users who had downloaded the compromised software.
This digital signature toolkit, implemented by Vietnam’s Government Cipher Committee, plays a critical role in the electronic authentication landscape, enabling both government and private sector entities to digitally sign documents via a USB token, which is dependent on the driver affected by the malicious software.
Infecting a system requires users to manually download and execute the compromised software sourced from the official VGCA website. Upon installation, the altered software runs the legitimate GCA program to obscure evidence of the breach, while simultaneously activating the PhantomNet backdoor, disguised under the innocuous name “eToken.exe.”
The backdoor, reportedly compiled as recently as April 26, is designed to gather system data and potentially deploy additional malicious capabilities through plugins served from hard-coded command-and-control servers. Notably, some of these servers mimic the names of recognized VGCA and popular productivity software, including domains like “vgca.homeunix[.]org” and “office365.blogdns[.]com.”
ESET also noted that alongside Vietnam, there were cases of affected systems in the Philippines, although the precise delivery methods remain undetermined. The ultimate intentions of the attackers also remain vague, with scant information available regarding activities following the initial compromise.
This case underscores the growing prevalence of supply-chain attacks, a method increasingly favored by cyber-espionage groups. By infiltrating trusted systems, adversaries can subtly introduce malware across numerous devices in a single operation.
In a related context, ESET recently exposed a Lazarus campaign in South Korea, which utilized both legitimate security software and stolen digital certificates to propagate remote administration tools (RATs) across targeted environments. Furthermore, last week, ESET encountered the exploitation of a chat application called Able Desktop, employed by over 430 government agencies in Mongolia, to disseminate various malicious tools, including HyperBro and the Korplug RAT.
Moreover, the recent identification of a supply-chain attack affecting SolarWinds Orion software signifies a larger scale of this problem, impacting significant U.S. government bodies including the Departments of Homeland Security, Commerce, Treasury, and State.
Faou concluded that supply-chain assaults are particularly difficult to detect due to the effective concealment of malicious code among legitimate application code, complicating the identification process.
