According to security researchers at Symantec, state-sponsored actors operating for the Billbug group, also known as Thrip and Lotus, have attempted to compromise a digital certificate authority in an Asian country. The attack was part of a larger campaign targeting multiple government agencies. Security researchers from Symantec have made the discovery and shared the findings in a recent advisory. Symantec observed the activity in 2019 and described how the threat actors utilized a backdoor known as Hannotog. Symantec confirmed that the tool was also observed in the recent activity it detailed in the report.
Symantec stated that all of the victims of the recent Billbug campaign were based in various Asian countries, and most of them government organizations. Symantec explained that if attackers could compromise and access certificates via the cyberattack, it would allow them to sign malware with a valid certificate. This would help it avoid detection on victim machines. Additionally, the threat actors could use compromised certificates to intercept HTTPS traffic. Symantec reported that it has not seen any evidence that suggests that the cyberattack targeting digital certificates was successful.