Cyber Threat Actor: OceanLotus

OceanLotus, also tracked as APT32, is a threat actor publicly linked to the Vietnamese government and described as a Vietnam‑based advanced persistent threat group. The actor operates under the aliases OceanLotus and APT32, with multiple cybersecurity firms attributing its activities to state‑backed sponsors in Viet Nam. Its strategic objectives, as evidenced in reported operations, center on espionage—collecting nonpublic information, intelligence on foreign pandemic responses, diplomatic communications, and proprietary industrial data—to support Vietnam’s economic and political interests, including the development of domestic industries such as the VinFast automotive venture.

The group’s targeting spans several sectors and geographic regions. It has repeatedly attacked automotive manufacturers, including BMW, Hyundai, and various Toyota subsidiaries, seeking intellectual property that could benefit Vietnam’s state‑supported car industry. Government entities are also frequent targets, exemplified by spearphishing campaigns against Chinese ministries handling coronavirus response, ASEAN organizations, and Philippine diplomatic offices. Additionally, the actor has hit media outlets, human rights groups, civil society organizations, research institutes, and Chinese maritime construction firms, often focusing on Japan‑based corporations and broader ASEAN nations through compromised websites and credential‑harvesting infrastructure.

Observed tactics, techniques, and procedures include the delivery of METALJACK malware via spearphishing emails that employ COVID‑19‑themed lures to increase infection rates. The actor frequently deploys the Cobalt Strike penetration toolkit to establish backdoors and maintain persistent access within compromised networks. It uses strategic JavaScript injections on compromised websites to socially engineer visitors into installing malware or surrendering email credentials, and it creates counterfeit domains that mimic legitimate services such as Google, Facebook, and Cloudflare. Custom Google applications are employed to hijack Gmail accounts for email and contact theft, while Let’s Encrypt certificates are heavily used to lend credibility to malicious infrastructure. The actor’s operational style relies on a distributed, multinational hosting network and the application of whitelists to focus on high‑value targets.

Representative campaigns illustrate the actor’s scope and methods. In early 2020, OceanLotus conducted a spearphishing operation targeting Chinese government bodies involved in coronavirus response, sending emails with METALJACK payloads that referenced fabricated travel advisories and pandemic updates. During 2019, the group breached the networks of BMW, Hyundai, and multiple Toyota and Lexus sales subsidiaries, installing Cobalt Strike to create backdoors and allegedly exfiltrate customer and design data. A 2017 mass digital surveillance effort saw over 100 websites linked to government, media, human rights, and civil society organizations compromised to harvest credentials and monitor visitors across ASEAN summits. Finally, the actor was implicated in the leak of Philippine government documents, including a Trump‑Duterte transcript and related diplomatic briefings, which were uploaded to VirusTotal and attributed to OceanLotus‑associated lures. These examples demonstrate the actor’s consistent use of spearphishing, web‑based injection, and credential‑stealing tools to pursue state‑directed espionage objectives.