Cyber Incident Victim: China National Offshore Oil Corporation
Date:
May 2015
Location:
China
Summary
A sophisticated cyberespionage campaign attributed to the Vietnam-linked OceanLotus group (APT32) compromised over 100 websites tied to government, military, human rights, media, and a state oil exploration entity to conduct mass digital surveillance across Asian nations. The attackers deployed strategically modified websites to deliver targeted JavaScript implants, created malicious Google Apps for stealing Gmail data, and leveraged a distributed infrastructure spoofing legitimate services to deploy custom backdoors like Cobalt Strike. This operation facilitated extensive information collection and profiling of victims through whitelisted targeting and social engineering tactics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2017, Volexity identified a widespread digital surveillance and attack campaign targeting multiple Asian nations, the ASEAN organization, and hundreds of individuals and organizations across sectors including government, military, human rights, civil society, media, and state oil exploration. The campaign, attributed to the advanced persistent threat group OceanLotus (also known as APT32), employed strategically compromised websites to launch attacks globally, with activity observed during high-profile ASEAN summits. Attackers compromised over 100 websites belonging to targeted entities, modifying them to deliver malicious JavaScript that facilitated social engineering attacks. These modifications altered the appearance of legitimate sites to deceive visitors into installing malware or surrendering access to their email accounts. OceanLotus utilized whitelisting to restrict attacks to specific individuals and organizations, demonstrating precise targeting. The group deployed custom Google Apps to infiltrate victim Gmail accounts, enabling theft of emails and contact lists. Their infrastructure spanned multiple hosting providers and countries, incorporating attacker-created domains mimicking legitimate services like AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, and Google. Let’s Encrypt SSL/TLS certificates were heavily utilized to conceal malicious traffic, while backdoors such as Cobalt Strike—believed exclusive to OceanLotus—provided persistent access to compromised systems.
The campaign represented a large-scale effort to collect digital profiles and sensitive information from targeted entities, including China National Offshore Oil Corporation as part of the state oil exploration sector. Attacks leveraged the compromised websites as launchpads, distributing malware and credential harvesting tools to victims globally. OceanLotus’s operational sophistication included dynamically adapting their tactics, techniques, and procedures to evade detection, with infrastructure designed to blend into legitimate web traffic. The group’s activities focused on sustained intelligence gathering, with stolen data likely used for strategic advantage. Volexity assessed the scale of the campaign as comparable only to operations by the Russian APT group Turla, underscoring its significance. No specific containment measures by victim organizations were detailed in the reporting, though the attacks highlighted systemic vulnerabilities in web infrastructure and email security. The compromise of high-value targets across geopolitical, economic, and civil society spheres indicated a broad espionage mandate aligned with regional strategic interests.