"Researchers Say China State-backed Hackers Breached a Digital Certificate Authority"

As part of an ongoing campaign that began in March 2022, a suspected Chinese state-sponsored actor breached a digital certificate authority as well as government and defense agencies in Asian countries. Symantec linked the attacks to an adversarial group dubbed Billbug, noting the use of tools previously associated with this actor. The activity appears to be motivated by espionage and data theft, though no data has been reported stolen to date. Billbug, also known as Bronze Elgin, Lotus Blossom, Lotus Panda, Spring Dragon, and Thrip, is an Advanced Persistent Threat (APT) group believed to be working in support of Chinese interests. Government and military organizations in South East Asia are primary targets. Backdoors such as Hannotog and Sagerunex were used by the adversary in 2019 attacks, with intrusions observed in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam. Both implants are intended to provide persistent remote access to the victim network, even though the threat actor is known to use an information-stealer known as Catchamas in special cases to exfiltrate sensitive data. The targeting of a certificate authority is significant because if the attackers were successful in gaining access to certificates, they could use them to sign malware with a valid certificate, enabling it to avoid detection on victim machines, according to Symantec researchers. It could also intercept HTTPS traffic by using compromised certificates. This article continues to discuss the breach of a digital certificate authority as well as government and defense agencies by the Billbug APT group. 

THN reports "Researchers Say China State-backed Hackers Breached a Digital Certificate Authority"