Alleged Chinese state-sponsored group hacked certificate authority, gov’t agencies in Asia

A group allegedly backed by China has attacked a certificate authority in Asia, as well as multiple government agencies within the region since March, according to a new report from Symantec.

The researchers pointed the blame at a group dubbed Billbug, an advanced persistent threat group (APT) active since at least 2009. Other researchers have identified the group as Lotus Blossom and Thrip.

Symantec Threat Hunter Team Senior Intelligence Analyst Brigid O Gorman told The Record that the attack on the certificate authority was especially alarming. If the attackers were successful in compromising it, they could use their access certificates to sign malware with a valid certificate that would allow them to avoid detection on devices. 

“It could also potentially use compromised certificates to intercept HTTPS traffic,” O Gorman said.

“Apart from this, compromising an organization’s systems could also potentially allow the attackers to carry out ‘regular’ espionage activity such as lateral movement on victim machines, accessing credentials, and exfiltrating data.”

The certification authority in question was notified of the hack and found no evidence to suggest the hackers were successful in compromising digital certificates.

Symantec researchers tied the activity of Billbug to the attack on the certificate authority due to the tools used, which they have employed in the past.

“In this campaign, all of Billbug’s victims were located in Asia. Historically, Billbug has appeared to be primarily interested in targets in the government, defense and communications sectors, primarily in Southeast Asia, indicating that those behind these operations likely have a strategic interest in countries in that region,” O Gorman said. 

“However, in activity we did also see the group targeting organizations based in the U.S.”

The group uses an array of backdoors and other tools during their attacks. Symantec noted that with one of the government victims, a “large number of machines on the network were compromised by the attackers.”

Symantec said the targeting of government agencies and a certificate authority indicates that the primary motive of the campaign is espionage and data theft.