Cyber Incident Victim: Association of Southeast Asian Nations

In May 2017, Volexity identified and began tracking a sophisticated mass digital surveillance and attack campaign targeting multiple Asian nations, the Association of Southeast Asian Nations (ASEAN), and hundreds of individuals and organizations linked to media, human rights, and civil society. This campaign, attributed to the Vietnam-based advanced persistent threat group OceanLotus (also known as APT32), coincided with several high-profile ASEAN summits. Attackers compromised over 100 websites tied to government, military, human rights, civil society, media, and state oil exploration entities, using them as launchpads for global attacks. The group employed whitelists to selectively target specific individuals and organizations, ensuring precision in their operations. They deployed strategically modified JavaScript on compromised websites to alter their appearance, facilitating social engineering attacks that tricked visitors into installing malware or granting access to email accounts. Custom Google Apps were created to infiltrate victim Gmail accounts, enabling theft of emails and contact lists. OceanLotus utilized a distributed infrastructure spanning multiple hosting providers and countries, registering domains mimicking legitimate services like AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, and Google to evade detection. The group heavily relied on Let’s Encrypt SSL/TLS certificates to encrypt malicious traffic and employed exclusive backdoors such as Cobalt Strike. Volexity noted the campaign’s scale rivaled previous operations by the Russian APT group Turla, highlighting its unprecedented reach across Southeast Asia and beyond.

The attack campaign involved large-scale digital profiling and information collection through compromised websites, with victims spanning government, civil society, and media sectors globally. OceanLotus demonstrated advanced tactics by dynamically altering compromised sites to display tailored content based on visitor profiles, enhancing the effectiveness of their social engineering lures. Their infrastructure included numerous attacker-controlled domains designed to blend with legitimate internet traffic, complicating defensive efforts. The group’s use of multiple proprietary backdoors indicated a high degree of operational security and resource investment. While Volexity did not quantify specific data breaches or financial losses, the compromise of high-value targets suggested significant risks to diplomatic communications, activist networks, and journalistic sources. In response to the threat, Volexity advised blocking known malicious domains and IP addresses associated with the campaign, enabling two-step authentication for Google accounts, maintaining system updates, enforcing strong passwords, and implementing two-factor authentication across affected organizations. The sustained nature of the attacks indicated a long-term intelligence-gathering operation focused on geopolitical and strategic interests in the ASEAN region.