Since its emergence, APT32, aka OceanLotus, has been conducting several cyberespionage campaigns against multiple sectors in Vietnam that work against the Government of Vietnam. Recently, Amnesty International's Security Lab laid bare new findings of the group’s latest coordinated spyware attacks.

Report highlights

Between February 2018 and November 2020, the group has tracked and spied on activists and other human rights defenders and the Vietnamese Overseas Initiative for Conscience Empowerment (VOICE), an NGO that supports Vietnamese refugees and promotes human rights.
  • These were infected via phishing emails embedded with the APT32's Kerrdown downloader. The downloader was being used to install the final payload on the victims' Windows computers.
  • The attackers deployed Cobalt Strike beacons to gain persistent remote access to the compromised systems.
  • It was found that Bui Thanh Hieu, a blogger and pro-democracy activist, was targeted with spyware at least four times within the span of two years.

APT32’s constant target - Vietnam

The APT32 group apparently has special interests in Vietnamese political dissidents, businesses, and activists, as indicated from its recent attacks.
  • In December 2020, Facebook had publicly disclosed APT32’s offensive hacking operation on an IT firm in Vietnam.
  • In November 2020, the group was observed leveraging legitimate-looking multiple activist, news, and anti-corruption websites to target users in Vietnam and across Southeast Asia.

Wrapping up

The APT32 group’s coordinated attacks against Vietnamese NGOs and activists are a clear indication of its inclination toward Vietnamese state interests. For preventive measures, users are recommended to use anti-spam and anti-phishing solutions and keep all the applications patched.

Cyware Publisher