Billbug targeting an unnamed authority

Updated on 2022-11-21: China-backed hackers targeted certificate authority

Chinese government-backed hackers have been caught targeting an unnamed authority, per Symantec. The threat group it calls Billbug also targeted government defense agencies, a satellite communications operator, and three different telecom companies. Read more:

• Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
• State-sponsored hackers in China compromise certificate authority
• Alleged Chinese state-sponsored group hacked certificate authority, gov’t agencies in Asia

Updated on 2022-11-15

Chinese state-sponsored Lotus Blossom APT group breached a digital certificate authority and government and defense agencies across the world, in an ongoing campaign since at least March. Read more: Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries

Overview: Billbug

Broadcom’s Symantec research team has published a report on the activities of an APT group it tracks as Billbug (also Thrip or Lotus Blossom) that the company says has compromised at least one certificate authority (CA) in an Asian country, but also multiple government agencies across multiple Asian countries, in a campaign that has been ongoing since at least March 2022.

“The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic. However, although this is a possible motivation for targeting a certificate authority, Symantec has seen no evidence to suggest they were successful in compromising digital certificates.”