Digital Certificate Authority

A suspected Chinese state-sponsored actor breached a digital certificate authority as well as government and defense agencies located in different countries in Asia as part of an ongoing campaign since at least March 2022.

Symantec, by Broadcom Software, linked the attacks to an adversarial group it tracks under the name Billbug, citing the use of tools previously attributed to this actor. The activity appears to be driven by espionage and data-theft, although no data is said to have been stolen to date.

Billbug, also called Bronze Elgin, Lotus Blossom, Lotus Panda, Spring Dragon, and Thrip, is an advanced persistent threat (APT) group that is believed to operate on behalf of Chinese interests. Primary targets include government and military organizations in South East Asia.


Attacks mounted by the adversary in 2019 involved the use of backdoors like Hannotog and Sagerunex, with the intrusions observed in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam.

Both the implants are designed to grant persistent remote access to the victim network, even as the threat actor is known to deploy an information-stealer known as Catchamas in select cases to exfiltrate sensitive information.

"The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines," Symantec researchers said in a report shared with The Hacker News.

"It could also potentially use compromised certificates to intercept HTTPS traffic."

The cybersecurity company, however, noted that there is no evidence to indicate that Billbug was successful in compromising the digital certificates. The concerned authority, it said, was notified of the activity.

An analysis of the latest wave of attacks indicates that initial access is likely obtained through the exploitation of internet-facing applications, following which a combination of bespoke and living-off-the-land tools are employed to meet its operational goals.


This comprises utilities such as WinRAR, Ping, Traceroute, NBTscan, Certutil, in addition to a backdoor capable of downloading arbitrary files, gathering system information, and uploading encrypted data.

Also detected in the attacks were an open source multi-hop proxy tool called Stowaway and the Sagerunex malware, which is dropped on the machine via Hannotog. The backdoor, for its part, is equipped to run arbitrary commands, drop additional payloads, and siphon files of interest.

"The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns," the researchers concluded.

"Billbug also appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.