Cyber Incident Victim: Ministry of Environment

In May 2017, Volexity identified and began tracking a widespread digital surveillance and attack campaign targeting multiple Asian nations, the ASEAN organization, and hundreds of individuals and organizations linked to media, human rights, and civil society. The campaign coincided with several high-profile ASEAN summits and was attributed to the advanced persistent threat group OceanLotus, also known as APT32, which SkyEye Labs first identified in 2015 and is believed to operate from Vietnam. Attackers compromised over 100 websites tied to government, military, human rights, civil society, media, and state oil exploration entities globally, using them as launchpads for attacks. The group employed whitelists to selectively target specific individuals and organizations, ensuring their malicious activities remained focused and stealthy. OceanLotus deployed strategically modified JavaScript on compromised websites to alter their appearance, facilitating social engineering attacks that tricked visitors into installing malware or granting access to their email accounts. The group also created custom Google Apps designed to infiltrate victims' Gmail accounts, enabling theft of emails and contact lists. This campaign represented a significant escalation in OceanLotus’s tactics, techniques, and procedures, demonstrating increased sophistication in both technical execution and operational security. Volexity noted the group’s infrastructure spanned multiple hosting providers and countries, complicating detection and attribution efforts. OceanLotus further obscured its activities by registering domains mimicking legitimate services like AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, and Google, while heavily utilizing Let’s Encrypt SSL/TLS certificates to appear trustworthy. The attackers deployed multiple backdoors, including Cobalt Strike, which Volexity assessed were developed and exclusively used by OceanLotus, reinforcing the group’s self-reliance and technical capability.

The scale of the campaign was described as rivaling only those previously conducted by the Russian APT group Turla, underscoring its unprecedented reach across ASEAN and Asian nations. OceanLotus’s operations focused on mass digital profiling and information collection, leveraging compromised websites to harvest sensitive data from targeted individuals and organizations. The group’s infrastructure was highly distributed, with attacker-controlled domains and IP addresses dispersed globally to evade blocking and complicate forensic analysis. Volexity confirmed the campaign was ongoing as of November 2017, with no indication of cessation. Impacts included the theft of confidential communications, contact networks, and organizational data from media, human rights defenders, and civil society groups, potentially enabling further surveillance or repression. The strategic timing of attacks around ASEAN summits suggested intent to gather geopolitical intelligence or disrupt diplomatic proceedings. Defense measures recommended by Volexity included blocking identified malicious domains and IPs, enabling two-step authentication for Google accounts, and maintaining system updates with strong passwords and two-factor authentication. No specific remediation actions by victim organizations were detailed in the available source material, though the public disclosure aimed to raise awareness and disrupt the campaign’s effectiveness. Volexity’s investigation highlighted OceanLotus’s evolution into a highly capable threat actor with sustained interest in compromising entities across Southeast Asia and beyond.