Cyber Incident Victim: Armed Forces of the Philippines
Date:
May 2017
Location:
Philippines
Summary
A sophisticated cyber espionage campaign attributed to the Vietnam-based OceanLotus group targeted ASEAN entities, including the Armed Forces of the Philippines, alongside government, media, human rights, and civil society organizations. The attackers compromised over 100 websites to deploy strategic digital surveillance, harvesting information through custom malicious Google Apps for Gmail infiltration and socially engineered JavaScript injections that delivered malware. Operations leveraged a distributed infrastructure with spoofed domains mimicking legitimate services, Let’s Encrypt certificates, and exclusive backdoors like Cobalt Strike to profile victims and exfiltrate data across high-profile regional summits.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2017, Volexity identified an extensive digital surveillance and attack campaign conducted by the advanced persistent threat group OceanLotus, also known as APT32. The campaign targeted multiple Asian nations, including members of the Association of Southeast Asian Nations (ASEAN), with a focus on government, military, human rights organizations, civil society groups, media outlets, and state oil exploration entities. Attacks occurred during high-profile ASEAN summits and leveraged over 100 strategically compromised websites belonging to these organizations to launch global operations. The threat actors employed whitelisting mechanisms to selectively target specific individuals and organizations visiting these sites. OceanLotus deployed custom Google Apps designed to compromise victim Gmail accounts, enabling theft of emails and contact lists. JavaScript modifications were injected into compromised websites to alter their appearance, facilitating social engineering attacks that tricked visitors into installing malware or surrendering email credentials. The group utilized a distributed infrastructure spanning multiple hosting providers and countries, registering domains mimicking legitimate services including AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, and Google. Let’s Encrypt SSL/TLS certificates were heavily employed to disguise malicious traffic.
The campaign utilized multiple backdoors, including Cobalt Strike and other tools believed to be exclusively developed and operated by OceanLotus. Volexity assessed the scale of these operations as comparable only to activities previously attributed to the Russian APT group Turla. Defensive measures implemented against the campaign included blocking domains and IP addresses associated with OceanLotus infrastructure. Organizations enforced two-step authentication for Google accounts to mitigate credential theft via the group’s custom Google Apps. System updates and strong password policies were prioritized to reduce vulnerabilities. The incident demonstrated systematic collection of digital profiles and sensitive information through compromised platforms, with particular emphasis on entities involved in regional governance, military affairs, and civil society across ASEAN member states.