Cyber Incident Victim: Ocean Lotus
Date:
Jan 2015
Location:
Viet Nam
Summary
OceanLotus, a sophisticated Vietnam-based threat group also known as APT32, conducted extensive digital surveillance and exploitation campaigns targeting government entities, military organizations, human rights advocates, civil society groups, and media outlets across multiple Asian nations and ASEAN. The group compromised over 100 websites to deploy malicious infrastructure mimicking legitimate services like Google and Facebook, utilizing whitelists for precise targeting, JavaScript-based social engineering, and custom Google Apps to hijack Gmail accounts. Attacks leveraged distributed hosting infrastructure, spoofed domains, Let’s Encrypt certificates, and exclusive backdoors including Cobalt Strike to steal sensitive communications and profile victims at scale.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2017, Volexity identified and began tracking a sophisticated, widespread mass digital surveillance and attack campaign conducted by the advanced persistent threat group OceanLotus, also known as APT32. This campaign targeted multiple Asian nations, the ASEAN organization, and hundreds of individuals and organizations linked to media, human rights, civil society, government, military, and state oil exploration sectors. The attacks occurred over several high-profile ASEAN summits and leveraged strategically compromised websites to profile victims and collect information. OceanLotus, first identified by SkyEye Labs in 2015, is believed to operate from Vietnam and demonstrated increased sophistication in its tactics, techniques, and procedures during this campaign. The group employed whitelists to selectively target specific individuals and organizations, ensuring attacks remained focused on high-value entities. A key component involved custom Google Apps designed to compromise victim Gmail accounts, enabling theft of emails and contact lists. Additionally, attackers injected targeted JavaScript into compromised websites to alter their appearance, facilitating social engineering attacks that tricked visitors into installing malware or surrendering email credentials. Over 100 websites globally were weaponized to launch these attacks, which spanned multiple sectors and geographies.
The attack infrastructure was highly distributed, utilizing numerous hosting providers across multiple countries to evade detection. OceanLotus registered domains mimicking legitimate services and organizations, including AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, and Google, to lend credibility to malicious operations. The group heavily relied on Let’s Encrypt SSL/TLS certificates to encrypt communications and obscure malicious traffic. Multiple custom backdoors, including Cobalt Strike and others believed to be exclusively developed and used by OceanLotus, facilitated persistent access to compromised systems. Volexity assessed the scale of this campaign as rivaling previous operations by the Russian APT group Turla, underscoring its significant reach and operational capacity. The campaign’s primary impact involved extensive digital profiling and information collection from targeted entities, compromising sensitive communications and organizational data. In response to the threat, defensive measures included blocking domains and IP addresses associated with the campaign, enabling two-step authentication for Google accounts, and maintaining updated systems with strong passwords and two-factor authentication. The attacks remained ongoing at the time of Volexity’s report, highlighting the persistent nature of the threat posed by OceanLotus.