Billbug compromises certificate authorities in the service of cyberespionage.
Billbug romps through Asian government agencies.
Symantec has found that a Chinese state-sponsored threat actor compromised a digital certificate authority in an unnamed Asian country. The threat actor also compromised government and defense agencies in several Asian countries.
Certificate authority targeted.
The threat actor, which Symantec (a unit of Broadcom) tracks as “Billbug” (also known as Lotus Blossom or Thrip), likely targeted the certificate authority in order to sign its malware files, although it’s not clear if Billbug was able to steal any certificates:
“The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic. However, although this is a possible motivation for targeting a certificate authority, Symantec has seen no evidence to suggest they were successful in compromising digital certificates. Symantec has notified the cert authority in question to inform them of this activity.”
Billbug likely motivated by espionage.
Symantec noted in 2019 that Billbug is based in China, and its primary goal appears to be espionage:
“While we do not see data being exfiltrated in this campaign, Billbug is widely regarded as being an espionage actor, indicating that data theft is the most likely motivation in this campaign. The victims in this campaign – government agencies and a certificate authority – also point to an espionage and data-theft motive.”