Cyber Incident Victim: China Oilfield Services Limited
Date:
May 2015
Location:
China
Summary
A sophisticated cyberespionage campaign attributed to the Vietnam-linked OceanLotus group targeted China Oilfield Services Limited alongside ASEAN entities, governments, media outlets, and civil society organizations. The attackers compromised over 100 websites across sectors including energy, military, and human rights to deploy strategic JavaScript injections, custom malicious Google Apps for Gmail credential theft, and tailored social engineering lures. Operations leveraged a distributed infrastructure with domains impersonating major online services, Let's Encrypt certificates, and exclusive backdoors like Cobalt Strike to profile victims and exfiltrate data, focusing surveillance on high-value individuals through whitelisting during regional diplomatic summits.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2017, Volexity identified a widespread digital surveillance and attack campaign conducted by the OceanLotus group (also known as APT32), a Vietnam-based advanced persistent threat actor. The campaign targeted multiple Asian nations, the ASEAN organization, and hundreds of individuals and organizations across government, military, human rights, civil society, media, and state oil exploration sectors. Attackers compromised over 100 websites tied to these entities, strategically modifying them to deliver malicious JavaScript payloads that facilitated social engineering attacks. These modifications enabled the group to profile visitors through digital fingerprinting and selectively deliver exploits via whitelists targeting specific individuals. OceanLotus deployed custom Google Apps designed to steal Gmail credentials, enabling unauthorized access to victim email accounts and contact lists. The infrastructure spanned multiple hosting providers and countries, utilizing attacker-created domains mimicking legitimate services like AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, and Google. Let’s Encrypt SSL/TLS certificates were heavily employed to encrypt malicious traffic, while backdoors such as Cobalt Strike provided persistent access to compromised systems. The campaign coincided with several high-profile ASEAN summits, suggesting coordination with geopolitical events to maximize intelligence gathering opportunities.
The operation represented one of the largest-scale digital surveillance efforts observed at the time, comparable only to activities attributed to the Russian Turla APT group. Compromised websites served as launchpads for global attacks, enabling the theft of sensitive communications and organizational data from targeted sectors. Victims faced credential compromise, unauthorized data exfiltration, and prolonged system access by attackers. Volexity documented the group’s evolution toward increasingly sophisticated tactics, techniques, and procedures since its initial identification by SkyEye Labs in 2015. Defensive measures implemented against the campaign included blocking associated domains and IP addresses, enforcing two-step authentication for Google accounts, and maintaining system updates with strong password policies. The incident underscored the operational capabilities of OceanLotus in conducting long-term, multi-sector espionage aligned with regional strategic interests.