Cyber Incident Victim: Bokeo Province
Date:
May 2017
Location:
Viet Nam
Summary
A sophisticated cyberespionage campaign attributed to the Vietnam-based OceanLotus group targeted ASEAN entities, governments, media outlets, human rights organizations, and civil society through mass digital surveillance and exploitation. The attackers compromised over 100 websites across sectors including military, energy, and activism, deploying strategically modified JavaScript to socially engineer visitors into installing malware or surrendering email credentials. Custom Google Apps tools were leveraged to infiltrate victim Gmail accounts, harvesting communications and contacts. Operations utilized a distributed infrastructure with domains impersonating legitimate services like Google and Facebook, alongside Let's Encrypt certificates and exclusive backdoors such as Cobalt Strike, enabling extensive profiling and data theft during high-profile regional summits.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2017, Volexity identified a widespread digital surveillance and attack campaign targeting multiple Asian nations, the ASEAN organization, and hundreds of individuals and organizations linked to media, human rights, and civil society. The campaign, attributed to the Vietnam-based APT group OceanLotus (also known as APT32), leveraged strategically compromised websites to launch attacks during high-profile ASEAN summits. Attackers compromised over 100 websites associated with government, military, human rights groups, civil society organizations, media outlets, and state oil exploration entities. These sites were weaponized to deliver targeted JavaScript modifications that altered website appearances, facilitating social engineering attacks to install malware or steal credentials. OceanLotus employed whitelisting to focus attacks on specific individuals and organizations, while creating custom Google Apps to infiltrate victim Gmail accounts and exfiltrate emails and contact lists. The group deployed a large distributed infrastructure across multiple hosting providers and countries, registering domains mimicking legitimate services like AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, and Google. Let’s Encrypt SSL/TLS certificates were heavily utilized to obscure malicious traffic, and exclusive backdoors such as Cobalt Strike were deployed alongside other custom malware. Volexity assessed the campaign’s scale as comparable only to operations by the Russian APT group Turla, noting OceanLotus’ increased sophistication in tactics, techniques, and procedures since its initial identification by SkyEye Labs in 2015.
The campaign enabled mass digital profiling and information collection, with compromised websites serving as launchpads for global attacks. Victims faced credential theft, email compromise, and malware infections, with attackers systematically harvesting sensitive communications and contact networks. OceanLotus’ infrastructure relied on geographic diversity and impersonation of trusted services to evade detection while maintaining persistent access. Volexity documented the group’s operational continuity across multiple ASEAN summits, indicating sustained strategic objectives. In response, defenders recommended blocking identified malicious domains and IP addresses, enforcing two-step authentication for Google accounts, and maintaining system updates with strong passwords and multi-factor authentication. The incident underscored the group’s focus on espionage against geopolitical entities and civil society, with compromised organizations suffering data breaches and surveillance over extended periods.