Cyber Incident Victim: Ministry of Public Works and Transport
Date:
May 2017
Location:
Viet Nam
Summary
A sophisticated cyberespionage campaign attributed to the Vietnam-linked OceanLotus group targeted government entities, including the Ministry of Public Works and Transport, alongside ASEAN organizations, media outlets, human rights groups, and civil society through compromised websites. Attackers deployed strategic JavaScript injections to manipulate site content for social engineering, created counterfeit domains impersonating major online services, and utilized custom Google Apps to hijack Gmail accounts for data exfiltration. The operation leveraged a distributed infrastructure with whitelisted targeting, multiple backdoors like Cobalt Strike, and Let's Encrypt certificates to conduct mass digital surveillance and credential theft against high-value individuals and organizations across Asia.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2017, Volexity identified a sophisticated mass digital surveillance and attack campaign targeting multiple Asian nations, including members of the ASEAN organization, as well as hundreds of individuals and organizations linked to government, military, human rights, civil society, media, and state oil exploration sectors. The campaign, attributed to the Vietnam-based advanced persistent threat group OceanLotus (also known as APT32), operated through strategically compromised websites and coincided with several high-profile ASEAN summits. Attackers compromised over 100 websites globally, using them to launch attacks that employed whitelisting techniques to selectively target specific individuals and organizations. The group deployed custom Google Apps designed to infiltrate victim Gmail accounts, enabling theft of emails and contact lists. OceanLotus utilized JavaScript modifications on compromised websites to alter their appearance, facilitating social engineering attacks that tricked visitors into installing malware or surrendering email credentials. This activity represented a significant escalation in the group’s tactics, techniques, and procedures compared to earlier operations documented since 2015.
The campaign leveraged a distributed infrastructure spanning multiple hosting providers and countries, incorporating attacker-created domains mimicking legitimate services like AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, and Google. OceanLotus heavily utilized Let’s Encrypt SSL/TLS certificates to obscure malicious traffic and employed exclusive backdoors such as Cobalt Strike for persistent access. The operation’s scale rivaled historical activities attributed to the Russian APT group Turla, with impacts including extensive digital profiling and information collection from targeted entities. Volexity documented the campaign’s global reach but did not disclose specific data exfiltrated from individual victims. Defensive measures against these attacks included blocking identified malicious domains and IP addresses, enabling two-step authentication for Google accounts, maintaining updated systems, and enforcing strong password policies across affected organizations.