Vietnamese Soldier

Report details mass digital surveillance, attacks on ASEAN linked to Vietnamese APT group

The security firm Volexity reported on Monday that it uncovered a massive campaign of digital surveillance and web-based attacks directed at ASEAN and other civil society groups in Vietnam, Cambodia and other countries, including ASEAN, the Association of Southeast Asian Nations.

Volexity researchers discovered malicious code lurking on main website for ASEAN and more than 80 other websites, many belonging to small media, human rights and civil society organizations, as well as individuals who had been critical of the Vietnamese government. The malicious code allowed the hacking group, dubbed OceanLotus, to track, profile and target visitors to the websites, Volexity said.

The scope of the campaign was one of the largest the researchers have ever come across, rivaling the so-called “Waterbug” campaign of phishing and watering hole attacks that was described by the security firm Symantec in 2016.

Links to Vietnam

Vietnamese Soldier
OceanLotus, an advanced threat group believed to be operating out of Vietnam, is alleged to have targeted ASEAN and other civil society groups.

OceanLotus is believed to be an Advanced Persistent Threat (or APT) group, also known as APT 32, that appears to be operating out of Vietnam. And, while that country is not typically listed among the top producers of offensive cyber campaigns, Volexity said OceanLotus “has rapidly advanced its capabilities and is now one of the more sophisticated APT actors currently in operation.” The close association of the observed targets with actors critical of the Vietnamese government suggests that the OceanLotus group is a nation-backed operation that has been rapidly developing a highly skilled and organized computer network exploitation (CNE) capability, the company said in its report.

A large scale operation

According to the report, the OceanLotus campaign followed a pattern similar to Waterbug and other targeted hacking operations. The group first targeted and compromised websites that were of strategic importance, adding one or more webshell backdoors to the websites to maintain persistence. Next, a malicious JavaScript framework was installed that were used to track, profile, and target the compromised website’s visitors.

Visitors who were of interest to the attackers were further targeted with special JavaScript designed to compromise their system or critical accounts when they visited OceanLotus compromised sites. Screen captures of sample attack screens show convincing looking screens that ask for users’ Google account credentials to “take Chrome everywhere” and access “locked” content on the compromised sites. In some cases, spear phishing campaigns were also used to attempt to install backdoors on the target systems.

Activities by hacking groups linked to nation states has increased in the five years since the Stuxnet campaign first came to light. In a report released by the Council on Foreign Relations, 16 different nations were found to be sponsoring cyber operations, including the United States. Vietnam is among those nations, with campaigns targeting civilians and other groups dating back to 2010.

Source: OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society | Volexity

Comments are closed.