WoSign was also caught red-handed backdating certificates to avoid the SHA1 deprecation.
So you can't trust that information either. As mentioned in a different thread, whitelisting certificates extracted from CT logs is the only really viable choice here.
The problem with this approach is that a CA that's been given the death penalty has little to lose, so they might just start backdating certificates. In fact, backdating SHA-1 certificates is one of the incidents they've now reported.
The only way to do this without the risk of backdated certificates being accepted would be to explicitly whitelist all known certificates that were issued prior to the cut-off date. I'm not sure how practical it is to ship such a large list, though (they've issued > 100k certificates in 2015 IIRC).
