A close view of the watering-hole attacker OceanLotus threat actor group

• The group primarily targets the organizations in the eastern part of Asia.
• The threat actor group leverages either spear phishing or watering hole attack, combined with various means of social engineering to launch a majority of its attacks.

The prolific OceanLotus threat actor group, also known as APT32 has been active since at least 2012. The group primarily targets the organizations in the eastern part of Asia, while continuing to update their backdoors, infrastructure, and infection vectors.

Main targets

The group which is believed to be from Vietnam target multiple private sector industries as well as foreign governments, dissidents and journalists. Initially, the group was observed performing an organized, well planned, targeted, long-term and persistence campaign against prominent organizations of the Chinese government, research institutes, maritime agencies, marine construction and shipping companies etc.

Attack modes

The threat actor group leverages either spear phishing or watering hole attack, combined with various means of social engineering to launch a majority of its attacks. FireEye observed that APT32 leverages a unique suite of fully featured malware and commercially-available tools to conduct targeted operations that are aligned with Vietnamese state interests.

Although OceanLotus continue to launch the attacks using old techniques, it has been observed that the threat actor group also includes some specific malware families as a part of its infection process. This mainly includes backdoor malware such as WINDSHIELD, Phoreal, SOUNDBITE, and KOMPROGO. In one of its recent attack in 2019, the APT32 was observed using a new custom ‘KerrDown’ malware to download a variant of Cobalt Strike Beacon to target Vietnamese citizens.

Examples

Some of the key highlights of the attack campaigns by OceanLotus group are as follows:

• At least 21 high-profile Southeast Asian websites including those belonging to government agencies and other major media outlets were compromised by the group in a watering hole campaign in September 2018.
• Over 100 websites of individuals and organizations belonging to Government, Military, Human Rights. Civil Society, Media, State Oil Exploration and Media were compromised by the group in 2017 to launch future attacks.
• In 2014, APT32 leveraged a spear-phishing attachment which titled ‘Plans to crackdown on protesters at the Embassy of Vietnam.exe,’ to target Vietnamese diaspora in Southeast Asia.
• In 2017, the group performed an attack campaign named ‘Cobalt Kitty’ to compromise more than 40 PCs and servers including the domain controller, file servers, Web application server and database server in a global corporation based in Asia.

Cybersecurity firm Volexity observed that OceanLotus compromised sites in one of two ways. The first one involves the direct user account access to the website’s content management system (CMS) and the second one involves exploitation of outdated plugins or CMS components.

“It is currently unknown how the intruders gain working credentials to the victim websites. Based on the TTPs leveraged by OceanLotus, it is possible that credentials could have been socially engineered (phished) from the victims or that the system administrators have been backdoored and a keylogger has assisted in capturing the login credentials,” said the researchers at Volexity.

The FireEye team which has also been closely observing the threat actor, believes that the motivation of APT32 varies depending on the type of organizations it targets. However, it is expected that the group will continue to target government, journalists worldwide and members of the Vietnam diaspora.