Researchers at Volexity has been tracking the threat actor since May 2017, they observed attacks aimed at the Association of Southeast Asian Nations (ASEAN), and media, human rights, and civil society organizations.
“In May 2017, Volexity identified and started tracking a very sophisticated and extremely widespread mass digital surveillance and attack campaign targeting several Asian nations, the ASEAN organization, and hundreds of individuals and organizations tied to media, human rights and civil society causes.” reads the analysis published by Volexity. “These attacks are being conducted through numerous strategically compromised websites and have occurred over several high-profile ASEAN summits. Volexity has tied this attack campaign to an advanced persistent threat (APT) group first identified as OceanLotus by SkyEye Labs in 2015.”
The researcher compared the hacker group with the dreaded s Russia-linked Turla APT.
The APT32 group, also known as OceanLotus Group, has been active since at least 2012, according to the experts it is a state-sponsored hacking group.
The hackers targeted organizations across multiple industries and foreign governments, dissidents, and journalists.
Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeted peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.
“APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.” states the analysis published by FireEye in May.
FireEye highlighted that currently, it is impossible to precisely link the group to the Vietnamese government even if the information gathered by the hackers would be of very little use to any other state.
The APT32 has used both Windows and Mac malware in its campaign, the group devised sophisticated techniques to evade detection.
“Volexity believes the size and scale of this attack campaign have only previously been rivaled by a Russian APT group commonly referred to as Turla,” continues the firm.
APT32 conducted a large-scale campaign powering watering hole attacks the involved more than 100 compromised websites belonging to government, military, media, civil society, human rights and oil exploitation entities.
The attacks were surgical, the compromised websites only served malware to visitors who were on a whitelist. Victims have displayed a fake screen designed to trick them into authorizing a malicious Google app that could access their emails and contacts.
Other websites were used to deliver malicious code, including backdoors and custom malware.
Volexity published key findings of its analysis related to the last wave of attacks that are still ongoing:
The APT32 has rapidly evolved and increased its capabilities, for this reason the experts consider this threat actor one of the most advanced in the current threat landscape.
“Volexity believes the OceanLotus threat group has rapidly advanced its capabilities and is now one of the more sophisticated APT actors currently in operation,” the company concluded.