Story image

OceanLotus Group thought to be targeting ASEAN nations on behalf of Vietnam

09 Nov 2017

The OceanLotus Group, also known as APT 32, may be on the hunt for targets in ASEAN nations. The group is reportedly using a combination of compromised websites and ‘typosquatting’ infrastructure.

The group, thought to be acting on behalf of Vietnam, has carried out targeted attacks against foreign governments, private organisations, journalists and ‘dissidents’,  information from RiskIQ says.

RiskIQ’s global network of crawlers picked up on the activity through data on compromised web infrastructure. So far more than 140 compromised parent websites have been used by the group.

According to RiskIQ’s Steve Ginty, the campaign has been active since at least February 2016. Compromised websites include an online Vietnamese news website and the National Rescue Party of Cambodia. The latter has a platform focused on human rights and democracy.

He believes that both websites match a targeting profile consistent with Vietnam state interests.

At the centre of the 140 compromised websites is a domain called health-ray-id.com, which connects all of the websites.

A deeper dive into domains and a cookie that appears to mimic a Cloudflare cookie. The cookie is associated with domains in 99 cases. 78 of those domains are in turn associated with the health-ray-id domain.

Ginty describes the 78 domains are described as, “A mix of Asia Pacific-based blogs, news organizations, and government websites.”

He believes that tension amongst ASEAN nations is leading members to cyber attack sponsorship in order to spy and disrupt neighbouring countries.

“At the same time, many of these countries have poor cybersecurity practices and levels of awareness, both in the public and private sectors, that make their government and business organizations extremely susceptible to hacking groups like OceanLotus, which uses automation to launch sophisticated attacks cheaply by rotating and reusing undetected infrastructure,” Ginty says.

He believes that defenders that use web crawler data can detect unknown threats at the source, monitor and track their spread.

“Correlating threat data extracted from a broad set of data sources across channels reveals the risk posed to an organization by a single piece of infrastructure—and how it’s used within a broader context,” he continues.

“Indexed web data sets, and analyst-focused analysis platform allows organizations to quickly and effectively identify the scale of these strategic compromises and provide visibility that improves an organization’s ability to defend their network.”

Earlier this year Palo Alto Networks connected an OceanLotus backdoor with attacks on MacOS systems. The backdoor is hidden in a Word Document in a zipped file as part of an email attachment.

The decoy document and application file is named 'noi dung chi tiet', Vietnamese for 'details'. 

Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
IXUP goes "post-quantum" with security tech upgrade
The secure analytics company has also partnered with Deloitte as a reseller, and launched a SaaS offering on Microsoft Azure.
ExtraHop’s new partner program for enterprise security
New accreditations and partner portal enable channel partners to fast-track their expertise and build their security businesses.
Hackers increasingly ‘island hopping’ – so what does it mean?
Carbon Black's Rick McElroy discusses this new trend and what it means for the new age of cybercrime.
Trust without visibility is blind – Avi Networks
Enterprises are wanting to gain the trust of their customers, but are often found blindly defending themselves.
How to avoid becoming a cryptojacking victim - Bitglass
Large-scale cryptojacking is a lucrative business due to the popularity and value of cryptocurrencies like Bitcoin and Ethereum.
Symantec, Ixia combine efforts to secure hybrid networks
Ixia’s CloudLens and Symantec Security Analytics now feature complete integration, which allows Symantec customers to gain real-time visibility into their hybrid cloud environments.