Story image

OceanLotus Group thought to be targeting ASEAN nations on behalf of Vietnam

09 Nov 17

The OceanLotus Group, also known as APT 32, may be on the hunt for targets in ASEAN nations. The group is reportedly using a combination of compromised websites and ‘typosquatting’ infrastructure.

The group, thought to be acting on behalf of Vietnam, has carried out targeted attacks against foreign governments, private organisations, journalists and ‘dissidents’,  information from RiskIQ says.

RiskIQ’s global network of crawlers picked up on the activity through data on compromised web infrastructure. So far more than 140 compromised parent websites have been used by the group.

According to RiskIQ’s Steve Ginty, the campaign has been active since at least February 2016. Compromised websites include an online Vietnamese news website and the National Rescue Party of Cambodia. The latter has a platform focused on human rights and democracy.

He believes that both websites match a targeting profile consistent with Vietnam state interests.

At the centre of the 140 compromised websites is a domain called health-ray-id.com, which connects all of the websites.

A deeper dive into domains and a cookie that appears to mimic a Cloudflare cookie. The cookie is associated with domains in 99 cases. 78 of those domains are in turn associated with the health-ray-id domain.

Ginty describes the 78 domains are described as, “A mix of Asia Pacific-based blogs, news organizations, and government websites.”

He believes that tension amongst ASEAN nations is leading members to cyber attack sponsorship in order to spy and disrupt neighbouring countries.

“At the same time, many of these countries have poor cybersecurity practices and levels of awareness, both in the public and private sectors, that make their government and business organizations extremely susceptible to hacking groups like OceanLotus, which uses automation to launch sophisticated attacks cheaply by rotating and reusing undetected infrastructure,” Ginty says.

He believes that defenders that use web crawler data can detect unknown threats at the source, monitor and track their spread.

“Correlating threat data extracted from a broad set of data sources across channels reveals the risk posed to an organization by a single piece of infrastructure—and how it’s used within a broader context,” he continues.

“Indexed web data sets, and analyst-focused analysis platform allows organizations to quickly and effectively identify the scale of these strategic compromises and provide visibility that improves an organization’s ability to defend their network.”

Earlier this year Palo Alto Networks connected an OceanLotus backdoor with attacks on MacOS systems. The backdoor is hidden in a Word Document in a zipped file as part of an email attachment.

The decoy document and application file is named 'noi dung chi tiet', Vietnamese for 'details'. 

Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.