Cyber Incident Victim: Ministry of Social Affairs, Veterans, and Youth Rehabilitation
Date:
May 2015
Location:
Viet Nam
Summary
A sophisticated cyber espionage campaign attributed to the Vietnam-based OceanLotus group targeted ASEAN nations and associated entities, including government, military, human rights organizations, media outlets, and civil society groups. The attackers employed strategically compromised websites to conduct mass digital surveillance, deploying whitelists to selectively profile victims and modifying site content to deliver malicious JavaScript for social engineering. Infrastructure included spoofed domains mimicking legitimate services and leveraged Let's Encrypt certificates alongside custom backdoors like Cobalt Strike. The operation facilitated large-scale information theft, including unauthorized access to Gmail accounts via tailored Google Apps integrations, enabling exfiltration of emails and contact data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2017, Volexity identified a widespread mass digital surveillance and attack campaign targeting multiple Asian nations, including entities associated with the ASEAN organization, government bodies, media outlets, human rights groups, and civil society organizations. The campaign, attributed to the advanced persistent threat group OceanLotus (also known as APT32), employed strategically compromised websites to profile victims and deliver malicious payloads during high-profile ASEAN summits. OceanLotus, assessed to be Vietnam-based, utilized whitelists to selectively target specific individuals and organizations, ensuring attacks remained focused on predetermined high-value entities. Attackers deployed custom Google Apps to compromise victim Gmail accounts, enabling theft of emails and contact lists. They also injected targeted JavaScript into compromised websites to alter their appearance, facilitating social engineering attacks that tricked visitors into installing malware or surrendering email credentials. The infrastructure supporting these operations spanned multiple hosting providers and countries, incorporating attacker-created domains designed to impersonate legitimate services like Google, Facebook, Cloudflare, and Baidu. Let’s Encrypt SSL/TLS certificates were extensively used to encrypt malicious traffic, complicating detection efforts. Backdoors such as Cobalt Strike, believed to be exclusively developed and operated by OceanLotus, provided persistent access to compromised systems.
The campaign impacted over 100 websites tied to government, military, human rights, civil society, media, and state oil exploration sectors globally, facilitating large-scale information collection and digital profiling. Attackers mimicked legitimate online services through deceptive domains while leveraging a distributed infrastructure to evade blocking measures. The operational scale rivaled historical activities attributed to the Russian APT group Turla, indicating significant resource investment. Consequences included unauthorized surveillance of targeted individuals, exfiltration of sensitive communications, and credential theft, particularly affecting entities engaged in ASEAN-related activities. Volexity documented the campaign’s technical mechanisms, including the use of modified website content for social engineering and the deployment of custom malware for persistent access. In response to these activities, defensive measures included blocking identified malicious domains and IP addresses, enabling two-step authentication for Google accounts, maintaining updated systems, and enforcing strong password policies across affected organizations.