Vietnamese APT32 group is one of the most advanced APTs in the threat landscape

Pierluigi Paganini November 07, 2017

According to the incident response firm Volexity, Vietnamese APT32 group is today one of the most advanced APTs in the threat landscape

According to the incident response firm Volexity, the cyber espionage campaigns associated with a group operating out of Vietnam and tracked as tracked as OceanLotus and APT32 have become increasingly sophisticated.

Researchers at Volexity has been tracking the threat actor since May 2017, they observed attacks aimed at the Association of Southeast Asian Nations (ASEAN), and media, human rights, and civil society organizations.

“In May 2017, Volexity identified and started tracking a very sophisticated and extremely widespread mass digital surveillance and attack campaign targeting several Asian nations, the ASEAN organization, and hundreds of individuals and organizations tied to media, human rights and civil society causes.” reads the analysis published by Volexity. “These attacks are being conducted through numerous strategically compromised websites and have occurred over several high-profile ASEAN summits. Volexity has tied this attack campaign to an advanced persistent threat (APT) group first identified as OceanLotus by SkyEye Labs in 2015.”

The researcher compared the hacker group with the dreaded s Russia-linked Turla APT.

APT32 group

The APT32 group, also known as OceanLotus Group, has been active since at least 2012, according to the experts it is a state-sponsored hacking group.

The hackers targeted organizations across multiple industries and foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeted peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

“APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.” states the analysis published by FireEye in May.

FireEye highlighted that currently, it is impossible to precisely link the group to the Vietnamese government even if the information gathered by the hackers would be of very little use to any other state.

The APT32 has used both Windows and Mac malware in its campaign, the group devised sophisticated techniques to evade detection.

Volexity believes the size and scale of this attack campaign have only previously been rivaled by a Russian APT group commonly referred to as Turla,” continues the firm.

APT32 conducted a large-scale campaign powering watering hole attacks the involved more than 100 compromised websites belonging to government, military, media, civil society, human rights and oil exploitation entities.

The attacks were surgical, the compromised websites only served malware to visitors who were on a whitelist. Victims have displayed a fake screen designed to trick them into authorizing a malicious Google app that could access their emails and contacts.

Other websites were used to deliver malicious code, including backdoors and custom malware.

Volexity published key findings of its analysis related to the last wave of attacks that are still ongoing:

  • Massive digital profiling and information collection campaign via strategically compromised websites
  • Over 100 websites of individuals and organizations tied to Government, Military, Human Rights, Civil Society, Media, State Oil Exploration, and more used to launch attacks around the globe
  • Use of whitelists to target only specific individuals and organizations
  • Custom Google Apps designed for gaining access to victim Gmail accounts to steal e-mail and contacts
  • Strategic and targeted JavaScript delivery to modify the view of compromised websites to facilitate social engineering of visitors to install malware or provide access to e-mail accounts
  • Large distributed attack infrastructure spanning numerous hosting providers and countries
  • Numerous attacker created domains designed to mimic legitimate online services and organizations such as AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, Google, and others
  • Heavy uses of Let’s Encrypt SSL/TLS certificates
  • Use of multiple backdoors, such as Cobalt Strike and others, believed to be developed and solely used by OceanLotus

The APT32 has rapidly evolved and increased its capabilities, for this reason the experts consider this threat actor one of the most advanced in the current threat landscape.

Volexity believes the OceanLotus threat group has rapidly advanced its capabilities and is now one of the more sophisticated APT actors currently in operation,” the company concluded.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – APT32, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment