Cyber Incident Victim: Ministry of Civil Service
Date:
Dec 2016
Location:
Viet Nam
Summary
A sophisticated cyberespionage campaign attributed to the Vietnam-based OceanLotus group (APT32) targeted government entities, including the Ministry of Civil Service, alongside ASEAN organizations, media outlets, human rights groups, and civil society through mass digital surveillance. The attackers compromised over 100 websites across sectors to deploy strategic social engineering, modifying site content to distribute malware and harvest credentials via malicious Google Apps. The operation employed whitelisted targeting, mimicked legitimate services through spoofed domains, and utilized custom backdoors like Cobalt Strike alongside Let’s Encrypt certificates for encrypted communications, enabling extensive information theft and unauthorized email access from victims globally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2017, Volexity identified an extensive digital surveillance and attack campaign conducted by the advanced persistent threat group OceanLotus, also known as APT32. The campaign targeted multiple Asian nations, the ASEAN organization, and hundreds of individuals and organizations affiliated with government, military, human rights, civil society, media, and state oil exploration sectors. Attacks occurred over several high-profile ASEAN summits, leveraging strategically compromised websites to profile victims and deliver malware. OceanLotus, believed to be Vietnam-based, employed whitelists to selectively target specific individuals and organizations. The group deployed custom Google Apps to gain unauthorized access to victim Gmail accounts, enabling theft of emails and contact lists. Attackers modified compromised websites using targeted JavaScript injections to alter content displays, facilitating social engineering attacks that coaxed visitors into installing malware or surrendering email credentials. The operation utilized a distributed infrastructure spanning multiple hosting providers and countries, with attacker-created domains impersonating legitimate services including AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, and Google. Let’s Encrypt SSL/TLS certificates were heavily utilized to conceal malicious traffic.
The campaign impacted over 100 compromised websites globally, functioning as launch points for attacks that collected vast amounts of sensitive information through persistent digital profiling. OceanLotus employed exclusive backdoors such as Cobalt Strike alongside other custom malware tools developed for their operations. Volexity assessed the scale of these activities as comparable only to historical operations by the Russian APT group Turla. Defensive measures against the campaign included blocking domains and IP addresses associated with OceanLotus infrastructure. Organizations were advised to enable two-step authentication for Google accounts to mitigate credential theft via malicious Google Apps. System updates, strong password policies, and multi-factor authentication were emphasized as critical safeguards against the group’s exploitation techniques. The attacks demonstrated sustained focus on geopolitical entities and civil society groups during periods of high diplomatic activity, with compromised assets serving dual purposes for surveillance and malware distribution.