vgca - isotope¹³

Incident Summary

Vietnam Government Certificate Authority website served backdoored installers

ESET disclosed Operation SignSight on 2020-12-17 — between 2020-07-23 and 2020-08-16, attackers compromised the Vietnam Government Certification Authority's website (ca.gov.vn) and replaced the official `gca01-client-v2-x32-8.3.msi` and `gca01-client-v2-x64-8.3.msi` digital-signature toolkit installers with trojanized versions. The malicious MSIs ran the legitimate signing client while side-loading PhantomNet (a.k.a. Smanager), a modular backdoor compiled 2020-04-26, that beaconed to `vgca.homeunix.org` and `office365.blogdns.com`. The trojanized installers carried the same SafeNet certificate as the legitimate ones. ESET noted tooling similarities to TA428.

Date: 2020-07-23 to 2020-08-16
Category: Commercial
Target Surface: Distribution
Insertion Phase: distribution
Impact: Backdoor
Cause: Website compromise

What Was Affected

Package vgca

Languagec++

ComponentApplication

Artifact typebinary archive

Domain typeproject download host

Domain ca.gov.vn

Compromised Versions

gca01-client-v2-x32-8.3.msi
gca01-client-v2-x64-8.3.msi

Incident Context

Motive: Espionage
Attribution: Nation-state
Transitive: No
Observed Duration: 24 days

Evidence

Compromised Artifacts

ca.gov.vn

Indicators and Changes

Hashes

sha1:5C77A18880CF58DF9FBA102DD8267C3F369DF449
sha1:B0E4E9BB6EF8AA7A9FCB9C9E571D8162B1B2443A
sha1:9522F369AC109B03E6C16511D49D1C5B42E12A44
sha1:989334094EC5BA8E0E8F2238CDF34D5C57C283F2

External References

Source Data

Source record: proprietary/vgca/meta.yaml