Following the SolarWinds attacks there’s a renewed interest in the supply chain from relatively simple scams like soundalike apps on the Google Play store to sophisticated incursions like this one. I’ve seen loads of advice about certifying suppliers but a lot of it is just extending the tick-box approach to compliance. I’d also advise you to closely monitor all communications from any application installed in your network (relatively easy to do if you use managed internet access through proxies and firewalls and don’t allow DNS lookups from the internet)…:
A group of mysterious hackers has carried out a clever supply chain attack against Vietnamese private companies and government agencies by inserting malware inside an official government software toolkit.
The attack, discovered by security firm ESET and detailed in a report named “Operation SignSight,” targeted the Vietnam Government Certification Authority (VGCA), the government organization that issues digital certificates that can be used to electronically sign official documents.
Any Vietnamese citizen, private company, and even other government agency that wants to submit files to the Vietnamese government must sign their documents with a VGCA-compatible digital certificate.
The VGCA doesn’t only issue these digital certificates but also provides ready-made and user-friendly “client apps” that citizens, private companies, and government workers can install on their computers and automate the process of signing a document.
But ESET says that sometime this year, hackers broke into the agency’s website, located at ca.gov.vn, and inserted malware inside two of the VGCA client apps offered for download on the site.
The two files were 32-bit (gca01-client-v2-x32-8.3.msi) and 64-bit (gca01-client-v2-x64-8.3.msi) client apps for Windows users.