Security — January 20, 2023 at 11:21 am

Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries

by

Symantec, by Broadcom Software, was able to link this activity to a group we track as Billbug due to the use in this campaign of tools previously attributed to this group. Billbug (aka Lotus Blossom, Thrip) is a long-established advanced persistent threat (APT) group that is believed to have been active since at least 2009.

BillbugSymantec has previously published on this group’s activity in 2018 and 2019 under the Thrip name, but following our 2019 investigation, we determined that Thrip and Billbug were most likely the same group so now track all activity under the Billbug name.

In activity documented by Symantec in 2019, we detailed how the group was using a backdoor known as Hannotog (Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex). Both these tools were also seen in this more recent activity.

The victims in this campaign included a certificate authority, as well as government and defense agencies. All the victims were based in various countries in Asia. Billbug is known to focus on targets in Asian countries. In at least one of the government victims, a large number of machines on the network were compromised by the attackers.

The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic. However, although this is a possible motivation for targeting a certificate authority, Symantec has seen no evidence to suggest they were successful in compromising digital certificates. Symantec has notified the cert authority in question to inform them of this activity.

This activity has been ongoing since at least March 2022.

More details here.

 

Symantec security solutions are distributed in Romania by SolvIT Networks.