Cyber Incident Victim: Cambodian Ministry of Foreign Affairs and International Cooperation

In May 2017, Volexity identified a widespread digital surveillance and attack campaign targeting multiple Asian nations, including ASEAN member states, along with organizations and individuals associated with government, military, human rights, civil society, and media sectors. The campaign, attributed to the Vietnam-based OceanLotus group (also known as APT32), employed strategically compromised websites to profile visitors and deliver malicious payloads during high-profile ASEAN summits. Attackers modified JavaScript on over 100 compromised websites to selectively target visitors through whitelists, ensuring only specific individuals and organizations received malicious content. The group deployed custom Google Apps designed to steal Gmail credentials and contacts, while mimicking legitimate services like Facebook, Google, and Cloudflare through attacker-controlled domains. OceanLotus utilized Let’s Encrypt SSL/TLS certificates extensively across their infrastructure, which spanned multiple hosting providers and countries to distribute backdoors including Cobalt Strike and other proprietary malware.

The operation facilitated mass information collection through compromised state oil exploration entities, media outlets, and civil society groups. Volexity assessed the campaign’s scale as comparable only to historical operations by the Russian Turla APT group. Impacted systems experienced unauthorized email access, contact theft, and covert surveillance. Defensive measures included blocking domains and IP addresses associated with OceanLotus infrastructure, implementing two-step authentication for Google accounts, and maintaining system updates with strong passwords. The attacks demonstrated advanced tactics through targeted social engineering, infrastructure diversification, and continuous adaptation across multiple ASEAN-related events.