Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT

Vietnam Targeted in Complex Supply Chain Attack (zdnet.com) 23

A group of mysterious hackers has carried out a clever supply chain attack against Vietnamese private companies and government agencies by inserting malware inside an official government software toolkit. From a report: The attack, discovered by security firm ESET and detailed in a report named "Operation SignSight," targeted the Vietnam Government Certification Authority (VGCA), the government organization that issues digital certificates that can be used to electronically sign official documents. Any Vietnamese citizen, private company, and even other government agency that wants to submit files to the Vietnamese government must sign their documents with a VGCA-compatible digital certificate. The VGCA doesn't only issue these digital certificates but also provides ready-made and user-friendly "client apps" that citizens, private companies, and government workers can install on their computers and automate the process of signing a document.
This discussion has been archived. No new comments can be posted.

Vietnam Targeted in Complex Supply Chain Attack

Comments Filter:
  • Vietnam seems to have a good supply of local hackers, and they would be the ones most familiar with the system.

    • Vietnam seems to have a good supply of local hackers, and they would be the ones most familiar with the system.

      Indeed.

      However, if this would have happened to us, we would have screamed "nation state" straight away and pointed a finger of blame at one of the usual suspects.

      • by Wolfier ( 94144 )

        Actually I would not be surprised if the attack on Vietnam is *also* of a nation state nature.

        You just need to think who would benefit, or would lose less, from such an attack.

    • by Wolfier ( 94144 ) on Monday December 28, 2020 @01:04PM (#60872972)

      TFA is quite clear...

      To think about it, which country stands to benefit most from a supply chain attack of Vietnam?
      Which country's manufacturing jobs have been migrated to Vietnam?

      • by HiThere ( 15173 )

        Yes, China is a reasonable suspect. But to jump from "suspect" to "They did it!" is quite unreasonable.

      • To think about it, which country stands to benefit most from a supply chain attack of Vietnam?

        It sounds like you don't even know what a supply chain attack (as the term is used here) even means....

        Hint: it doesn't mean they sabotaged manufacturing jobs.

  • or at least try to. I am not saying that we have no responsibility do to what we can but governments are much better resourced and by taking out crooks like this will benefit their populations. I know that some of these "crooks" are probably other governments and I also know that our own governments indulge in things like this; but unless serious effort is put into trying to stop this (and locking the crooks up) then it will just get worse and worse.

    • What do you expect the government to do?

      • Avoid the shitty premise of digital signatures. I mean I studied tech and worked in tech and I don't even a clue what the a priori of digital signatures is... it's basically just an attempt to weed out any one afraid of being charged with fraud but ultimately has zero actual security?

        • by ebyrob ( 165903 )

          You must not like browsing the web much. Every single HTTPS connection is secured by a digital certificate.

          That said, the internet isn't perfect and there are some other measures possible, but I don't think public / private key pair and message digest authentication are going anywhere any time soon.

          • Website digital certificates and government approved digital signatures seem a bit different. They both have certificate authorities but the former is verifying more details in the handshake I believe. If one had to physical appearance before a government office to get their digital signature, I think my concerns are covered but I don't quite see how they key exchange can be done purely digitally while having convidence in a person being who they claim unless you assume the likelihood of fraud is miniscule

      • by AleRunner ( 4556245 ) on Monday December 28, 2020 @12:19PM (#60872794)

        as some examples, how about

        • Strongly encourage full encryption with no back doors
        • Prosecute companies and the people working for them that put backdoors into products
        • Work with private industry to set sensible security standards.
        • Prosecute companies storing data that fail to provide decent security for that data
        • Work on and analyse all key software used in their country- actively check that the software is secure.
        • Encourage individual, responsible security researchers, ensuring they are safe from prosecution as long as they follow reasonable notification processes.
        • Provide red team checking and security audits of companies - prosecute those that fail repeatedly.
        • Warn people against insecure software.
        • Ensure that their security agencies tell software authors about any vulnerabilities.
        • Practice time delayed full disclosure, where vulnerabilities
        • Publish recommendations for secure configuration of systems
        • Use their already extensive monitoring networks to identify attackers and warn any entities being attacked
        • Provide rapid response together with security companies to allow small companies to respond effectively to breaches
    • Should not our governments protect us from this ?

      This is what government protection looks like. You can still rest, assured that those signed documents (probably) arent forged.

      There. They protected you.

      What does that malware infestation that they forced you into have to do with it? There are always consequences and why should anybody bother figuring out what they will be, so their good intentions should more that cover any of the gross negligence that has harmed millions of people by degree.

      Clearly we need more government.

  • That part of the world is competing with each other so there is no telling which enemy of theirs could have done it.

  • China. (Score:5, Interesting)

    by waspleg ( 316038 ) on Monday December 28, 2020 @11:45AM (#60872680) Journal

    Vietnam and China have basically been at war for thousands of years. I would be surprised to learn that this was NOT them.

    From the article:

    The Slovak security firm didn't formally attribute the attack to any particular group, but previous reports linked the PhatomNet (Smanager) malware to Chinese state-sponsored cyber-espionage activities.

    • Vietnam and China have basically been at war for thousands of years. I would be surprised to learn that this was NOT them.

      From the article:

      The Slovak security firm didn't formally attribute the attack to any particular group, but previous reports linked the PhatomNet (Smanager) malware to Chinese state-sponsored cyber-espionage activities.

      Warring since approximately 1400 CE is not *thousands* of years.

  • If I were Vietnamese and had the skills and a dislike of the government and this centralized, government-controlled means of signing/certifying official documents, this seems like a great way to send a message.

    • by gtall ( 79522 )

      and if you "were Vietnamese and had the skills and a dislike of the government and this centralized, government-controlled means of signing/certifying official documents", then you'd probably be scared shitless of being taken out and shot if you were ever connected to a caper like this. The Vietnam government is the typical post-communism dictatorship. In Russia, Putin uses gulags and poison and sometimes murder (but only for "special" people). In China Jinping uses re-education camps and capital punishment

  • China, of course. (Score:4, Interesting)

    by haunebu ( 16326 ) on Monday December 28, 2020 @01:06PM (#60872982) Homepage

    Trying to pre-empt and eliminate their growing competition in Vietnam, India, etc etc.

    The Chinese Communist Party has no problem with industrial sabotage.

  • Is there any resource with details how the attackers got in by any chance? At least on if this was some stupid mistake, outdated web service, or by social engineering

I'd rather just believe that it's done by little elves running around.

Working...