Cyber Incident Victim: Ministry of National Assembly-Senate Relations and Inspection
Date:
May 2015
Location:
Viet Nam
Summary
A sophisticated cyberespionage campaign attributed to the Vietnam-based APT32 group (OceanLotus) targeted governmental bodies, military entities, human rights organizations, media outlets, and civil society across multiple Asian nations. The attackers compromised over 100 websites to deploy strategic digital surveillance, harvesting sensitive information through tailored JavaScript injections that altered site content to facilitate social engineering. They employed custom malicious Google Apps to infiltrate victim Gmail accounts, exfiltrating emails and contacts, while leveraging a distributed infrastructure of spoofed domains mimicking legitimate services like Google and Facebook. The operation utilized advanced backdoors including Cobalt Strike, whitelisting techniques to focus on specific high-value targets, and Let's Encrypt certificates to obscure malicious traffic.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2017, Volexity identified and began tracking a widespread digital surveillance and attack campaign conducted by the advanced persistent threat group OceanLotus, also known as APT32. This campaign targeted multiple Asian nations, the ASEAN organization, and hundreds of individuals and organizations associated with media, human rights, civil society, government, military, and state oil exploration sectors. The attacks occurred over several high-profile ASEAN summits and involved the strategic compromise of over 100 websites globally. OceanLotus, believed to be Vietnam-based, employed sophisticated tactics including whitelists to selectively target specific individuals and organizations. The group used compromised websites to deliver malicious JavaScript that altered site content, facilitating social engineering attacks to trick visitors into installing malware or granting access to their email accounts. Custom Google Apps were deployed to infiltrate victim Gmail accounts, enabling the theft of emails and contact lists. The campaign represented a significant escalation in the group’s capabilities, leveraging a distributed infrastructure across multiple hosting providers and countries to evade detection.
OceanLotus utilized a large network of attacker-created domains designed to mimic legitimate services such as AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, and Google. The group heavily relied on Let’s Encrypt SSL/TLS certificates to encrypt malicious communications and employed multiple backdoors, including Cobalt Strike, which were believed to be exclusively developed and used by the group. Volexity assessed the scale of the operation as rivaling previous campaigns by the Russian APT group Turla, highlighting its extensive reach and coordination. Defensive measures against the campaign included blocking domains and IP addresses associated with the attacks, enabling two-step authentication for Google accounts, and maintaining updated systems with strong passwords and two-factor authentication. The incident underscored the group’s focus on long-term intelligence gathering and exploitation of high-value targets across geopolitical and civil society spheres.