FireEye, which specialises in advanced cyber-threats, has identified OceanLotus Group (which the company has now designated as APT32) as ‘cyber espionage actors’. FireEye reports group has led a ‘significant intrusion campaign’ with involvement in numerous security incidents in Vietnam since at least 2014.
FireEye investigated after several customers based in Vietnam were compromised by the breaches. The report found that other governments, ‘dissidents’ and journalists could also have been targeted by APT32, in large operations ‘aligned with state interests’.
Investigations unearthed APT32’s use of sophisticated and persistent cyber-attacks against organisations from the U.K., U.S., Germany, China and the Philippines. Many of the targeted industries are involved in Vietnam’s manufacturing, consumer products and hospitality industries. Most of the attacks were confined to Vietnam, but at least two were pre-emptive, launched against firms which planned to establish business interests there.
Nick Carr, author of the FireEye report, conceded in a statement to TechCrunch that there is no direct link between APT32 and the Vietnamese government, but asserted that there is a clear connection between the targets and nature of attacks.
Carr said: “APT32 accessed personnel details and other data from multiple victim organizations that would be of very little use of to any party other than the Vietnamese government. Additionally, the timing of APT32’s intrusions appears to correspond with many of its victims’ engagements with the Vietnamese government on regulatory matters.”
The FireEye report also highlights that APT32’s targets and methods are closely aligned with the Vietnamese state’s history of censoring critics both foreign and domestic. According to the Electronic Frontier Foundation, the Vietnamese government has been cracking down on journalists and bloggers since 2013, using malicious software such as keyloggers and DDoS attacks against dissident websites and voices. According to the EFF, these organisations represent the country’s ‘only independent press’.
FireEye reports that APT32 has launched similar campaigns since at least 2014, where it orchestrated a phishing campaign using an attachment titled ‘Plans to crackdown on protesters at the Embassy of Vietnam.exe’. In 2015 SkyEye Labs, a security research division of Chinese firm Qihoo 360, reported that Chinese public and private entities, including government agencies and research institutions were being targeted with software similar to that used by APT32. Two Vietnamese media outlets were also targeted by malware believed to be unique to APT32.
The organisation’s attacks are highly advanced, sometimes targeting specific individuals for extended periods of time. FireEye reports that their current campaign employs a range of tactics, such as manipulating the names of file extensions to appear innocent when in fact they carry a malicious payload. Once deployed, APT32’s software can open backdoors into infected systems and relay data back to the perpetrator.
Carr continued: “The unauthorized access could serve as a platform for law enforcement, intellectual property theft, or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations”.
“While actors from China, Iran, Russia, and North Korea remain the most active cyber espionage threats tracked and responded to by FireEye, APT32 reflects a growing host of new countries that have adopted this dynamic capability”.
In a statement to Reuters, the Vietnamese government denied any link
Foreign Ministry spokeswoman Le Thi Thu Hang said: “The government of Vietnam does not allow any form of cyber-attacks against organizations or individuals. All cyber-attacks or threats to cybersecurity must be condemned and severely punished in accordance with regulations and laws.”
These incidents are believed to be unrelated to the WannaCry attack, the widespread ransomware outbreak which is sweeping countries across the world.