Cyber Threat Actor: Couple from Vietnam
| Actor Type | Location | Known Incidents |
Criminal
|
Viet Nam
|
1 incident |
|---|
Profile
The threat actor known as TeaPea, also identified as TeaPets and described as a "Vietnamese hacking couple" or "Couple from Vietnam," operates from Vietnam. Their activities gained public attention following a high-impact cyberattack against InterContinental Hotels Group (IHG) in August 2022. The attackers demonstrated a focus on financial gain through ransomware but shifted to destructive tactics when obstructed. They explicitly stated frustration with low wages in Vietnam as a motivating factor, though they framed the attack itself as being carried out "for fun" after their initial plan failed.
The group compromised IHG through a phishing email delivering malicious software, bypassing two-factor authentication protections. After initial access, they exploited weak credential security—specifically discovering a corporate password vault protected by the password "Qwerty1234," which was accessible to all employees—to escalate privileges and move laterally. When IHG’s IT team began isolating systems to contain the ransomware attempt, the attackers deployed a wiper to irreversibly delete data, disrupting global booking and check-in services for days. They claimed no customer data was exfiltrated but accessed internal corporate communications and files. The incident highlights their opportunistic use of common vulnerabilities (weak passwords, phishing) and adaptability in switching from ransomware to destruction. Publicly available evidence does not link them to state-sponsored groups or broader criminal networks, suggesting independent operation. IHG confirmed the attack’s operational impact but contested characterizations of inadequate password security, emphasizing layered defenses. The actors expressed no remorse, dismissing the severity of the disruption while underscoring financial grievances as a catalyst for their actions.
