Cyber Incident Victim: ASEAN Trade Repository
Date:
May 2017
Location:
Viet Nam
Summary
A sophisticated cyberespionage campaign attributed to the Vietnam-based OceanLotus group (APT32) targeted the ASEAN Trade Repository and associated entities, including government, military, human rights, media, and civil society organizations. The attackers compromised over 100 websites to deploy mass digital surveillance, strategically modifying content to socially engineer visitors into installing malware or surrendering email credentials. They employed custom Google Apps to hijack Gmail accounts, harvested contacts and communications, and utilized whitelists to focus on specific high-value targets. The operation leveraged a distributed infrastructure with domains impersonating legitimate services like Google and Facebook, alongside Let's Encrypt certificates and exclusive backdoors such as Cobalt Strike. This large-scale effort facilitated extensive information theft and profiling across multiple ASEAN summits.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2017, cybersecurity firm Volexity identified and began tracking a sophisticated mass digital surveillance and attack campaign targeting multiple Asian nations, the ASEAN organization, and hundreds of individuals and organizations associated with media, human rights, civil society, government, military, and state oil exploration sectors. The campaign, attributed to the Vietnam-based advanced persistent threat group OceanLotus (also known as APT32), operated through strategically compromised websites and coincided with several high-profile ASEAN summits. Attackers compromised over 100 websites globally, using them as launchpads to deliver malicious payloads and conduct surveillance. The group employed whitelisting techniques to selectively target specific individuals and organizations, ensuring their attacks remained focused and evaded broad detection. A key tactic involved deploying custom JavaScript on compromised sites to alter their appearance, facilitating social engineering attacks that tricked visitors into installing malware or surrendering access to their email accounts. OceanLotus also created custom Google Apps designed to infiltrate victim Gmail accounts, enabling the theft of emails and contact lists for further targeting. The campaign leveraged multiple backdoors, including Cobalt Strike and other tools believed to be exclusively developed and used by the group.
OceanLotus maintained a large, distributed attack infrastructure spanning numerous hosting providers and countries, registering domains that mimicked legitimate services like AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, and Google to blend malicious traffic with normal web activity. The group heavily utilized Let’s Encrypt SSL/TLS certificates to encrypt communications and enhance the legitimacy of their malicious domains. Volexity assessed the scale of this operation as rivaling previous campaigns by the Russian APT group Turla, noting its prolonged activity across multiple ASEAN summits and its focus on harvesting sensitive information from high-value targets. Defensive measures against the campaign included blocking identified malicious domains and IP addresses, enabling two-step authentication for Google accounts, and maintaining system updates with strong passwords and multi-factor authentication to disrupt credential theft and malware deployment. The incident highlighted extensive digital profiling and information collection efforts against entities critical to regional governance, civil liberties, and economic interests.