Symantec Tracks And Documents A Threat Actor Named “Billbug”

Symantec has released a blog post detailing a new threat actor named “Billbug” which appears to be a nation state actor that is going compromised a certificate authority as well as government agencies:

Symantec, by Broadcom Software, was able to link this activity to a group we track as Billbug due to the use in this campaign of tools previously attributed to this group. Billbug (aka Lotus Blossom, Thrip) is a long-established advanced persistent threat (APT) group that is believed to have been active since at least 2009. Symantec has previously published on this group’s activity in 2018 and 2019 under the Thrip name, but following our 2019 investigation, we determined that Thrip and Billbug were most likely the same group so now track all activity under the Billbug name.

In activity documented by Symantec in 2019, we detailed how the group was using a backdoor known as Hannotog (Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex). Both these tools were also seen in this more recent activity.

The victims in this campaign included a certificate authority, as well as government and defense agencies. All the victims were based in various countries in Asia. Billbug is known to focus on targets in Asian countries. In at least one of the government victims, a large number of machines on the network were compromised by the attackers.

The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic. However, although this is a possible motivation for targeting a certificate authority, Symantec has seen no evidence to suggest they were successful in compromising digital certificates. Symantec has notified the cert authority in question to inform them of this activity.

This activity has been ongoing since at least March 2022.

Kevin Bocek, VP of Security Strategy and Threat Intelligence, Venafi had this to say

“The compromise of a digital certificate authority (CA) is bad news. CAs are a vital centerpiece in the system of identity that keeps our online world running securely. A CA issues companies with TLS certificates – a type of machine identity that enables secure machine-to-machine communication. This identity tells other machines that it can be trusted. It is this system that enables the green padlock we are all so familiar with now. If a CA is compromised, all the identities associated with it come into question. 

In this particular case, the attack on the CAs has all the tell-tale signs of a sophisticated nation state attack. However, this doesn’t just impact the CAs – every business, consumer and government that relies on these CAs to know whether a digital service is real or fake, and whether communications are private or tapped, is impacted. An attacker could use this position of power to conduct man-in-the-middle attacks, to intercept encrypted traffic, or to issue identities for malicious or fraudulent services to enable them to be trusted by major browsers and operating systems. We’ve seen this play out with attacks such as DigiNotar in the Netherlands.  

To remediate the problem, just as you change your passwords if they are breached, CISOs, CIOs and CEOs must do the same for machine identities. In today’s age of businesses running in the cloud, organizations must quickly identify and remove all certificates associated with unknown and untrusted CAs, and replace them with new certificates from trusted sources. Yet an organization could have hundreds, if not thousands of identities to replace. This is why organizations need to invest in a control plane that can automate the management of machine identities.” 

Sitaram Iyer, Senior Director of Cloud Native Solutions, Venafi had this to add:

“This compromise of a certificate authority (CA) highlights the importance of managing all machine identities in an enterprise. If the compromised were to be the root CA, then the attacker can potentially gain full control over the entire PKI infrastructure and compromise the trust in the system. Revocation of all the certificates issued by this CA must be revoked and replaced. This certainly comes at a high-cost effort – and in most cases, credibility of the organization.  

This can be even more catastrophic as organizations create subordinate CAs that are used for signing workloads in cloud native environments for managing pod or mesh identities. The sheer volume of these identities and the need to revoke all subordinates, recreate them and issue identities for workloads is a huge effort.  

Protecting and managing all the machine identities, irrespective of where and how it’s used, is critical for creating an enterprise security posture. Manual processes need to be eliminated, and all machine identity management should be 100% automated with security teams having the right kind of observability.” 

Clearly this is a threat actor that needs monitoring as they aren’t going away. In fact it seems that the longer they are around, the more sophisticated that they get.

Leave a Reply

%d bloggers like this: