Cyber Incident Victim: Office of the President
Date:
May 2015
Location:
United States of America
Summary
A sophisticated and widespread digital surveillance and attack campaign targeted multiple Asian nations and organizations, including ASEAN entities, media outlets, human rights groups, and civil society. Conducted by the Vietnam-based APT group OceanLotus (APT32), the operation compromised over 100 websites tied to government, military, media, and civil sectors globally. Attackers deployed strategically modified JavaScript to manipulate compromised sites, enabling social engineering tactics to steal credentials or deliver malware. The campaign utilized custom Google Apps to hijack Gmail accounts, harvested sensitive data through whitelisted targeting, and employed backdoors like Cobalt Strike. Infrastructure involved domains impersonating legitimate services and leveraged distributed hosting with Let’s Encrypt certificates to conceal malicious activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2017, Volexity identified and began tracking a widespread digital surveillance and attack campaign by the advanced persistent threat group OceanLotus, also known as APT32. The campaign targeted multiple Asian nations, the ASEAN organization, and hundreds of individuals and organizations associated with government, military, human rights, civil society, media, and state oil exploration sectors. Attacks occurred over several high-profile ASEAN summits, utilizing strategically compromised websites to profile victims and collect information. Over 100 websites were compromised globally to launch attacks, with the threat actors employing whitelists to selectively target specific individuals and organizations. The group deployed custom Google Apps to gain unauthorized access to victim Gmail accounts, enabling theft of emails and contact lists. JavaScript modifications were injected into compromised websites to alter their appearance, facilitating social engineering attacks that tricked visitors into installing malware or surrendering email credentials. The campaign represented a significant escalation in sophistication from OceanLotus, which had first been documented by SkyEye Labs in 2015 and is believed to operate from Vietnam.
The attack infrastructure spanned numerous hosting providers and countries, incorporating attacker-created domains designed to mimic legitimate services including AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, and Google. OceanLotus heavily utilized Let's Encrypt SSL/TLS certificates to encrypt malicious traffic and employed multiple custom backdoors, including Cobalt Strike, believed to be exclusively developed and used by the group. Volexity assessed the scale of these operations as comparable only to activities previously observed from the Russian APT group Turla. Defensive measures implemented against the campaign included blocking domains and IP addresses associated with the attacks, enabling two-step authentication for Google accounts, maintaining updated systems, enforcing strong passwords, and deploying two-factor authentication across affected organizations. The incident demonstrated systematic exploitation of web infrastructure to conduct surveillance against strategic targets across Southeast Asia and beyond.