Story image

OceanLotus Group thought to be targeting ASEAN nations on behalf of Vietnam

09 Nov 2017

The OceanLotus Group, also known as APT 32, may be on the hunt for targets in ASEAN nations. The group is reportedly using a combination of compromised websites and ‘typosquatting’ infrastructure.

The group, thought to be acting on behalf of Vietnam, has carried out targeted attacks against foreign governments, private organisations, journalists and ‘dissidents’,  information from RiskIQ says.

RiskIQ’s global network of crawlers picked up on the activity through data on compromised web infrastructure. So far more than 140 compromised parent websites have been used by the group.

According to RiskIQ’s Steve Ginty, the campaign has been active since at least February 2016. Compromised websites include an online Vietnamese news website and the National Rescue Party of Cambodia. The latter has a platform focused on human rights and democracy.

He believes that both websites match a targeting profile consistent with Vietnam state interests.

At the centre of the 140 compromised websites is a domain called health-ray-id.com, which connects all of the websites.

A deeper dive into domains and a cookie that appears to mimic a Cloudflare cookie. The cookie is associated with domains in 99 cases. 78 of those domains are in turn associated with the health-ray-id domain.

Ginty describes the 78 domains are described as, “A mix of Asia Pacific-based blogs, news organizations, and government websites.”

He believes that tension amongst ASEAN nations is leading members to cyber attack sponsorship in order to spy and disrupt neighbouring countries.

“At the same time, many of these countries have poor cybersecurity practices and levels of awareness, both in the public and private sectors, that make their government and business organizations extremely susceptible to hacking groups like OceanLotus, which uses automation to launch sophisticated attacks cheaply by rotating and reusing undetected infrastructure,” Ginty says.

He believes that defenders that use web crawler data can detect unknown threats at the source, monitor and track their spread.

“Correlating threat data extracted from a broad set of data sources across channels reveals the risk posed to an organization by a single piece of infrastructure—and how it’s used within a broader context,” he continues.

“Indexed web data sets, and analyst-focused analysis platform allows organizations to quickly and effectively identify the scale of these strategic compromises and provide visibility that improves an organization’s ability to defend their network.”

Earlier this year Palo Alto Networks connected an OceanLotus backdoor with attacks on MacOS systems. The backdoor is hidden in a Word Document in a zipped file as part of an email attachment.

The decoy document and application file is named 'noi dung chi tiet', Vietnamese for 'details'. 

Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.
Red Box gains compliance boost with new partnership
By partnering with Global Relay, voice platform provider Red Box is improving the security of its offerings for high-value and risk voice data.