Cyber Incident Victim: Vietnam Government Certification Authority
Date:
Jul 2020
Location:
Viet Nam
Summary
Hackers compromised the Vietnam Government Certification Authority's website to distribute malware-laden client applications used for digitally signing official documents. The malicious software, identified as PhantomNet, functioned as a reconnaissance backdoor enabling proxy configuration bypass and secondary payload delivery, potentially facilitating espionage against selected targets. Security researchers discovered the supply chain attack and notified the agency, which subsequently acknowledged the breach and provided malware removal guidance. While attribution remains unconfirmed, the malware has historical associations with Chinese state-sponsored cyber operations. This incident represents one of several high-profile supply chain compromises targeting critical administrative software platforms globally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In July and August 2020, hackers compromised the Vietnam Government Certification Authority (VGCA) website (ca.gov.vn) and inserted malware into two official software packages distributed by the agency. The affected files were the 32-bit (gca01-client-v2-x32-8.3.msi) and 64-bit (gca01-client-v2-x64-8.3.msi) versions of a client application designed to automate document signing with VGCA-issued digital certificates. These applications were mandatory for Vietnamese citizens, businesses, and government agencies submitting electronically signed documents to state authorities. Security firm ESET discovered the tampered installers contained PhantomNet (also known as Smanager), a modular backdoor trojan active between July 23 and August 5. The malware provided basic reconnaissance capabilities, including retrieving system proxy settings to bypass corporate firewalls and downloading additional malicious payloads. Researchers assessed PhantomNet served as an initial intrusion vector for more targeted follow-on attacks against high-value entities. The VGCA breach represented a supply chain attack, leveraging trust in government software to distribute malware broadly while enabling selective targeting. ESET documented the operation as "Operation SignSight" and notified VGCA in December 2020, though the agency had already detected the compromise independently.
On December 27, 2020, VGCA publicly acknowledged the security incident concurrent with ESET’s report publication and released malware removal instructions. The agency did not disclose the number of affected users or specific victims. ESET noted PhantomNet had previously been deployed in the Philippines through unidentified delivery methods, with historical ties to Chinese state-sponsored cyberespionage groups. The VGCA incident marked the fifth significant supply chain attack of 2020, following compromises including SolarWinds (attributed to Russian actors), Mongolia’s Able Desktop software (linked to Chinese hackers), China’s GoldenSpy tax software, and North Korea’s Wizvera VeraPort campaign targeting South Korean users. No data theft or disruptive outcomes were confirmed in the VGCA case, though the backdoor’s presence created risks of secondary infections and data exfiltration. The breach undermined confidence in Vietnam’s digital certification infrastructure, given the VGCA’s role as the sole issuer of legally recognized e-signatures.