Recent victims of APT32, aka the OceanLotus Group, include a global consulting firm, a hospitality developer and two Vietnamese media outlets, among others.
Recent victims of APT32, aka the OceanLotus Group, include a global consulting firm, a hospitality developer and two Vietnamese media outlets, among others.

An advanced persistent threat group whose actions appear to align with Vietnamese state interests has been actively compromising private corporations and targeting foreign governments, dissidents and media since at least 2014, according to researchers at FireEye, who have designated this group as APT32.

Following a coordinated internal intelligence effort this past March, FireEye and its Mandiant incident response unit have reported that APT32, also known as the OceanLotus Group, is linked to the 2017 compromise of a global consulting firm's Vietnamese offices, a 2016 malware attack on a hospitality developer with plans for expansion into Vietnam, and the 2016 targeting of Vietnamese and foreign-owned corporations operating in the fields of network security, technology infrastructure, banking and media.

FireEye also blames OceanLotus for a 2017 social engineering campaign targeting Vietnamese individuals in Australia and government employees in the Philippines, malware attacks against two Vietnamese media outlets in 2015 and 2016, and several other linked malicious campaigns, some of which use malware considered unique to the threat group.

Tactically, APT32 has often been observed "using ActiveMime files that employ social engineering methods to entice the victim into enabling macros," which upon execution download malicious payloads from command-and-control servers, FireEye wrote in a Sunday blog post

OceanLotus is known to use cloud-based email analytics software intended for sales organizations to track victims of the APT group's phishing campaigns, FireEye further reported. Moreover, in observed campaigns, the group "utilized the native web page functionality of their ActiveMime documents to link to external images hosted on APT32 monitored infrastructure," then monitored web logs to track IP address used to request these images. "When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms," the blog post continues.

While FireEye could not confirm the motivation for each APT32 attack, the company warned that the group's campaigns could "ultimately erode the competitive advantage of targeted organizations," warned FireEye. "Furthermore, APT32 continues to threaten political activism and free speech in Southeast Asia and the public sector worldwide. Governments, journalists, and members of the Vietnam diaspora may continue to be targeted."