Threat Management, Threat Management, Threat Intelligence, Malware

OceanLotus APT acting in accordance with Vietnamese interests, researchers report

An advanced persistent threat group whose actions appear to align with Vietnamese state interests has been actively compromising private corporations and targeting foreign governments, dissidents and media since at least 2014, according to researchers at FireEye, who have designated this group as APT32.

Following a coordinated internal intelligence effort this past March, FireEye and its Mandiant incident response unit have reported that APT32, also known as the OceanLotus Group, is linked to the 2017 compromise of a global consulting firm's Vietnamese offices, a 2016 malware attack on a hospitality developer with plans for expansion into Vietnam, and the 2016 targeting of Vietnamese and foreign-owned corporations operating in the fields of network security, technology infrastructure, banking and media.

FireEye also blames OceanLotus for a 2017 social engineering campaign targeting Vietnamese individuals in Australia and government employees in the Philippines, malware attacks against two Vietnamese media outlets in 2015 and 2016, and several other linked malicious campaigns, some of which use malware considered unique to the threat group.

Tactically, APT32 has often been observed "using ActiveMime files that employ social engineering methods to entice the victim into enabling macros," which upon execution download malicious payloads from command-and-control servers, FireEye wrote in a Sunday blog post

OceanLotus is known to use cloud-based email analytics software intended for sales organizations to track victims of the APT group's phishing campaigns, FireEye further reported. Moreover, in observed campaigns, the group "utilized the native web page functionality of their ActiveMime documents to link to external images hosted on APT32 monitored infrastructure," then monitored web logs to track IP address used to request these images. "When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms," the blog post continues.

While FireEye could not confirm the motivation for each APT32 attack, the company warned that the group's campaigns could "ultimately erode the competitive advantage of targeted organizations," warned FireEye. "Furthermore, APT32 continues to threaten political activism and free speech in Southeast Asia and the public sector worldwide. Governments, journalists, and members of the Vietnam diaspora may continue to be targeted."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.