The OceanLotus Group, also known as APT 32, may be on the hunt for targets in ASEAN nations. The group is reportedly using a combination of compromised websites and ‘typosquatting’ infrastructure.
The group, thought to be acting on behalf of Vietnam, has carried out targeted attacks against foreign governments, private organisations, journalists and ‘dissidents’, information from RiskIQ says.
RiskIQ’s global network of crawlers picked up on the activity through data on compromised web infrastructure. So far more than 140 compromised parent websites have been used by the group.
According to RiskIQ’s Steve Ginty, the campaign has been active since at least February 2016. Compromised websites include an online Vietnamese news website and the National Rescue Party of Cambodia. The latter has a platform focused on human rights and democracy.
He believes that both websites match a targeting profile consistent with Vietnam state interests.
At the centre of the 140 compromised websites is a domain called health-ray-id.com, which connects all of the websites.
A deeper dive into domains and a cookie that appears to mimic a Cloudflare cookie. The cookie is associated with domains in 99 cases. 78 of those domains are in turn associated with the health-ray-id domain.
Ginty describes the 78 domains are described as, “A mix of Asia Pacific-based blogs, news organizations, and government websites.”
He believes that tension amongst ASEAN nations is leading members to cyber attack sponsorship in order to spy and disrupt neighbouring countries.
“At the same time, many of these countries have poor cybersecurity practices and levels of awareness, both in the public and private sectors, that make their government and business organizations extremely susceptible to hacking groups like OceanLotus, which uses automation to launch sophisticated attacks cheaply by rotating and reusing undetected infrastructure,” Ginty says.
He believes that defenders that use web crawler data can detect unknown threats at the source, monitor and track their spread.
“Correlating threat data extracted from a broad set of data sources across channels reveals the risk posed to an organization by a single piece of infrastructure—and how it’s used within a broader context,” he continues.
“Indexed web data sets, and analyst-focused analysis platform allows organizations to quickly and effectively identify the scale of these strategic compromises and provide visibility that improves an organization’s ability to defend their network.”
Earlier this year Palo Alto Networks connected an OceanLotus backdoor with attacks on MacOS systems. The backdoor is hidden in a Word Document in a zipped file as part of an email attachment.
The decoy document and application file is named 'noi dung chi tiet', Vietnamese for 'details'.