Story image

OceanLotus Group thought to be targeting ASEAN nations on behalf of Vietnam

09 Nov 2017

The OceanLotus Group, also known as APT 32, may be on the hunt for targets in ASEAN nations. The group is reportedly using a combination of compromised websites and ‘typosquatting’ infrastructure.

The group, thought to be acting on behalf of Vietnam, has carried out targeted attacks against foreign governments, private organisations, journalists and ‘dissidents’,  information from RiskIQ says.

RiskIQ’s global network of crawlers picked up on the activity through data on compromised web infrastructure. So far more than 140 compromised parent websites have been used by the group.

According to RiskIQ’s Steve Ginty, the campaign has been active since at least February 2016. Compromised websites include an online Vietnamese news website and the National Rescue Party of Cambodia. The latter has a platform focused on human rights and democracy.

He believes that both websites match a targeting profile consistent with Vietnam state interests.

At the centre of the 140 compromised websites is a domain called health-ray-id.com, which connects all of the websites.

A deeper dive into domains and a cookie that appears to mimic a Cloudflare cookie. The cookie is associated with domains in 99 cases. 78 of those domains are in turn associated with the health-ray-id domain.

Ginty describes the 78 domains are described as, “A mix of Asia Pacific-based blogs, news organizations, and government websites.”

He believes that tension amongst ASEAN nations is leading members to cyber attack sponsorship in order to spy and disrupt neighbouring countries.

“At the same time, many of these countries have poor cybersecurity practices and levels of awareness, both in the public and private sectors, that make their government and business organizations extremely susceptible to hacking groups like OceanLotus, which uses automation to launch sophisticated attacks cheaply by rotating and reusing undetected infrastructure,” Ginty says.

He believes that defenders that use web crawler data can detect unknown threats at the source, monitor and track their spread.

“Correlating threat data extracted from a broad set of data sources across channels reveals the risk posed to an organization by a single piece of infrastructure—and how it’s used within a broader context,” he continues.

“Indexed web data sets, and analyst-focused analysis platform allows organizations to quickly and effectively identify the scale of these strategic compromises and provide visibility that improves an organization’s ability to defend their network.”

Earlier this year Palo Alto Networks connected an OceanLotus backdoor with attacks on MacOS systems. The backdoor is hidden in a Word Document in a zipped file as part of an email attachment.

The decoy document and application file is named 'noi dung chi tiet', Vietnamese for 'details'. 

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.