Cyber Incident Victim: Cambodian National Police
Date:
May 2015
Location:
Viet Nam
Summary
A sophisticated cyberespionage campaign attributed to the Vietnam-based OceanLotus group (APT32) targeted ASEAN nations, media outlets, human rights organizations, and civil society entities through mass digital surveillance and strategic website compromises. The attackers deployed over 100 compromised websites tied to government, military, and civil society sectors, employing whitelists for precision targeting, custom Google Apps to hijack Gmail accounts, and modified JavaScript to socially engineer visitors into installing malware. Infrastructure included domains impersonating legitimate services like Google and Facebook, Let’s Encrypt certificates for encryption, and proprietary backdoors such as Cobalt Strike. The Cambodian National Police were among the victims impacted by this large-scale operation designed to harvest sensitive communications and contacts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2017, Volexity identified a widespread digital surveillance and attack campaign targeting multiple Asian nations, including ASEAN member states, as well as organizations and individuals associated with government, military, human rights, civil society, media, and state oil exploration sectors. The campaign, attributed to the Vietnam-based OceanLotus group (also known as APT32), employed strategically compromised websites to launch attacks coinciding with high-profile ASEAN summits. Attackers compromised over 100 legitimate websites globally, modifying them with JavaScript to alter content displays and facilitate social engineering attacks. These modifications prompted visitors to install malware or surrender access to their email accounts. The group deployed custom Google Apps to infiltrate victim Gmail accounts, enabling theft of emails and contact lists. Targeting precision was achieved through whitelists that filtered victims, ensuring only specific individuals and organizations received malicious content. The campaign represented a significant escalation in OceanLotus’s tactics, leveraging compromised infrastructure to profile victims and harvest intelligence on a massive scale.
The attack infrastructure spanned multiple hosting providers and countries, utilizing attacker-created domains mimicking legitimate services including AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, and Google. OceanLotus heavily relied on Let’s Encrypt SSL/TLS certificates to disguise malicious traffic and employed exclusive backdoors like Cobalt Strike alongside other custom-developed malware. The operation’s scale was noted as comparable only to historical activities by the Russian Turla APT group. Impacts included unauthorized data collection from high-value targets across governmental, journalistic, and civil society sectors, with compromised websites serving as persistent attack vectors. In response, security measures included blocking identified malicious domains and IP addresses, enforcing two-step authentication for Google accounts, and maintaining system updates with strong password policies to disrupt further exploitation. The campaign demonstrated advanced persistent threat capabilities focused on long-term intelligence gathering and surveillance across strategic Southeast Asian entities.