Chapter 1
What Is the Risk?

On December 10, 2020, ESET researchers announce they have found that a chat software called Able Desktop (Able)-part of a widely used business management suite in Mongolia including 430 Mongolian government agencies-was exploited to deliver the HyperBro backdoor, the Korplug RAT (remote access trojan), and another RAT named Tmanger. They also found and identified a connection with the ShadowPad backdoor, used by at least five threat actors in the exploit. Two installers were infected with the trojan and the compromised Able update system was installed with the malicious software. Evidence shows that the Able system had been compromised since June 2020, while the malware-infected installers were delivered as far back as May 2018.

The post explains that HyperbBro is commonly attributed to the cybercriminal group named "LuckyMouse," a Chinese-speaking threat actor known for highly targeted cyberattacks. Primarily active in South East and Central Asia, many of their attacks have a political aim. Tmanger is attributed to TA428, also a Chinese Advanced Persistent Threat (APT) group. Because these two applications are used normally by different APTs and are now together in one attack, the ESET team theorizes that LuckyMouse and TA428 are sharing data and weapons; they are also likely the subgroup of a larger APT. Given the region and threat actors, it is considered to be a political attack that had been planned as early as May 2018, yet not carried out in earnest until two years later.

Advanced Persistent Threat (APT) is the term given to state actors (i.e., government run or authorized hackers) or large cybercriminal syndicates that have a lot of time and patience to perform very stealthy, large-scale attacks aimed at political or economic goals.

The SolarWinds Supply-Chain Attack

On December 13, 2020, FireEye, a global leader in cybersecurity, publishes on its website the first details about the SolarWinds Supply-Chain Attack, a global intrusion campaign inserting a trojan into the SolarWinds Orion business software updates to distribute the malware. FireEye names the malware "Sunburst." After the attackers successfully hacked into FireEye, their activity demonstrated lateral movement and data exfiltration. "The actors behind this campaign gained access to numerous public and private organizations around the world. . This campaign may have begun as early as Spring 2020 and is currently ongoing. . The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security," as explained in the Summary from FireEye's website on December 13th.

The attackers added a .dll file (a configuration file) called SolarWinds.Orion.Core.BusinessLayer.dll to the Orion product, which had been digitally signed and enabled backdoor communications over HTTP (i.e., normal, unencrypted web traffic), to other servers. The Sunburst malware is suspected to have lain quietly for two weeks, while it performed some reconnaissance via executing commands that led to file transfers and to controlling the victim's servers (i.e., reboots, disabling services). Using a native product within Orion, the Orion Improvement Program (OIP), Sunburst blended in with the program's normal functions expertly. It even had the capability to sniff out the antivirus and cybersecurity forensic tools being used, likely to learn how to better go undetected.

"As much as anything, this attack provides a moment of reckoning. It requires that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response," according to Brad Smith, President of Microsoft (December 17, 2020) as posted on his blog about the SolarWinds attack. This attack was used to steal valuable intellectual property from the top-tier security company FireEye. As of the time of this writing, it has been confirmed to have affected dozens of U.S. cabinet-level agencies. Due to the pervasiveness of the SolarWinds product across the world, more breaches will be discovered in the following days, weeks, months, and years to come. Some may never be discovered (or admitted); however, there will be international victims. It is a coup for the suspected perpetrators, thought to be a state actor who used a supply side attack, exploiting the weakness of a popular network and monitoring tool, SolarWinds, to circumvent the tight defenses of the intended victims.

On December 18th, Microsoft released information identifying more than 40 government agencies, higher learning institutions, Non-Governmental Organizations (NGOs), and information technology companies that were infiltrated, with four-fifths of them being U.S.-based, and nearly half of those being tech companies. On his blog, Brad Smith said

This is not "espionage as usual," even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under.

One act of recklessness that he refers to is that this pervasive software, SolarWinds Orion, was clearly not performing its own due diligence and due care to protect itself and its customers, and this product is used by nearly everyone. Further recklessness was that all the customers of SolarWinds were not performing at expectations for cybersecurity's best practice.

If customers had performed some key cybersecurity assessment on a third-party software maker like SolarWinds, this attack could have been detected. Were intake questions asked about the type of data to which SolarWinds had access and where that data might go or be stored? Depending on a company's solution type, asking questions about how the secure software development lifecycle is managed and audited is considered to be appropriate.

With the hardware device, what was SolarWind's supply chain security for the hardware parts and assembly? For the company that had ventured to perform an on-site cybersecurity physical validation of SolarWinds, was any evidence produced on how they performed external security scans (which might have detected the default password on their download page "SolarWinds123")? Who performed these external scans? The company? Or did they hire an outside firm and were the results viewable? Often, such companies will not share these results, so you must negotiate to at least see the Table of Contents, who performed such security scans, and when.

Final question: Had SolarWinds remediated all the findings in the external security scan? While this is not the first time a breach has occurred, the scale of the SolarWinds breach will dwarf all others.

The VGCA Supply-Chain Attack

On December 17, 2020, ESET Research announced it had detected a large supply-chain attack against the digital signing authority of the government of Vietnam (ca.gov.vn), the website for the Vietnam Government Certification Authority (VGCA), which is part of the Government Cipher Committee under the Ministry of Information and Communication. Vietnam has made the digital leap, and almost anyone in the country who requires a government service, product, or approval is required to use a digital signature. These e-signatures have the same authority and enforceability as a traditional paper document autograph according to government decree.

The VGCA also develops and makes available for download a toolkit to automate the process of e-signatures. This toolkit is widely used by the government, private companies, and individuals. VGCA's website was hacked as early as July 23rd, and no later than August 16, 2020. The compromised toolkits contained malware known as PhantomNet, and SManager ESET confirms that the files were downloaded from the VGCA website directly, and not the result of a redirect from another location. While these infected files were not signed with proper digital certificates, it appears that prior files were not correctly signed either. This may have led to users not rejecting the improper digital certificates of the trojan-infected files because they behaved the same before the malware was added.

When an infected file was downloaded and run, the correct VGCA program ran along with the malware. This masqueraded the trojan to the end user because they saw the normal program running correctly, being unaware of the trojan or unlikely to look for it because the program appeared to be running normally. The file eToken.exe extracted a Windows cabinet file (.cab), which was used as an archive file to support compression and maintain archive integrity. The file 7z.cab was the file that contained a backdoor for the attackers to exploit. The attackers went to great lengths to ensure that the backdoor ran, regardless of the user's privileges on the device.

If the 7z.cab file was able to run as an administrator on the machine, the program wrote the backdoor to c:\Windows\appatch\netapi32.dll, which then registered it as a service to ensure it kept running after any reboot. On a device that only allowed...