Digital certificate
Cyber spies routinely steal random strangers’ identities to rent server space or register malicious websites.
The Hermetica Digital certificate was issued in April 2021, but the time stamp on the malicious code itself was Dec. 28, 2021.
ESET researchers said in a blog post that those dates suggested that “the attack may have been in the works for some time.”
If, as is widely assumed by cybersecurity experts and US defence officials, the attacks were carried out by Russians, then the time stamps are potentially significant data points for observers hoping to understand when the plan for the invasion of Ukraine came together.
ESET’s head of threat research, Jean-Ian Boutin, told Reuters there were various ways in which a malicious actor could fraudulently obtain a code signing certificate.
“They can obviously obtain it themselves, but they can also buy it in the black market,” Boutin said.
“As such, it is possible that the operation dates back further than we previously knew, but it is also possible that the threat actor acquired this code signing certificate recently, just for this campaign.”
Ben Read, director of cyber espionage analysis at Mandiant, said it was possible that a group could “impersonate a company in communications with a digital cert providing company and get a legitimate cert fraudulently issued to them.”
Cybersecurity firm Symantec said organisations in the financial, defence, aviation and IT services sectors had been targeted in Wednesday’s attack.
DigiCert, the company that issued the digital certificate, did not immediately respond to a request for comment.
Juan-Andres Guerrero-Saade, a cybersecurity researcher at digital security firm SentinelOne, said the purpose of the attack was clear: “This was meant to damage, disable, signal and cause havoc.”