Cyber Incident Victim: BDStar
Date:
May 2017
Location:
Viet Nam
Summary
A Vietnam-based advanced persistent threat group, OceanLotus (APT32), conducted a large-scale digital surveillance campaign targeting ASEAN nations, media, human rights organizations, and civil society. The attackers compromised over 100 websites to deploy malicious scripts, steal email credentials via custom Google Apps, distribute backdoors like Cobalt Strike, and utilized domains mimicking legitimate services alongside social engineering to facilitate malware installation and data theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2017, Volexity identified a widespread digital surveillance and attack campaign targeting multiple Asian nations, the ASEAN organization, and hundreds of individuals and organizations associated with media, human rights, civil society, government, military, and state oil exploration sectors. The campaign, attributed to the advanced persistent threat group OceanLotus (also known as APT32), employed strategically compromised websites to launch attacks during high-profile ASEAN summits. OceanLotus, believed to operate from Vietnam, utilized over 100 compromised websites to deliver malicious payloads through whitelists targeting specific victims. Attackers deployed custom Google Apps to gain unauthorized access to victims' Gmail accounts, enabling theft of emails and contact lists. They also injected targeted JavaScript into compromised websites to alter their appearance, facilitating social engineering attacks that tricked visitors into installing malware or surrendering email credentials. The operation leveraged a distributed infrastructure spanning multiple hosting providers and countries, with attacker-created domains impersonating legitimate services including AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, and Google. Let’s Encrypt SSL/TLS certificates were extensively used to obscure malicious traffic.
The campaign’s scale rivaled previous operations by the Russian APT group Turla, marking one of the most extensive digital surveillance efforts observed at the time. OceanLotus utilized multiple proprietary backdoors, including Cobalt Strike, which Volexity assessed were developed and exclusively deployed by the group. The attacks enabled mass profiling and information collection from targeted entities across geopolitical, media, and civil society spheres. Volexity documented the infrastructure and tactics to assist in detection, advising organizations to block associated domains and IP addresses. They also emphasized enabling two-step authentication for Google accounts, maintaining updated systems, and implementing strong passwords with multi-factor authentication to counter credential theft and unauthorized access attempts. The operation demonstrated significant technical sophistication in its use of tailored social engineering, infrastructure diversification, and persistent targeting of high-value entities throughout the ASEAN region.