Viet con tradecraft exposed

UPDATED Suspected Vietnamese state-backed hackers are targeting dissidents from the South East Asian nation residing in Germany.

An investigation by German broadcaster BR and weekly newspaper Zeit Online has revealed how the OceanLotus (APT32) group are using spear-phishing, watering hole (compromised legitimate websites) and similar tactics to target Vietnamese expatriates in Germany.

BACKGROUND APT32 unmasked: Researchers shine light on the notorious hacking group

The article tells the story of those targeted, offering a rare victim-centric perspective on the use of cyber-espionage to targets dissidents and human rights activists.

For example, Berlin-based Vietnamese blogger Bui Thanh Hieu talks of his fears that any successful malware attack on his computer could expose the identities of people in his home nation that are feeding him intelligence.

Bui clicked on links to phishing emails, but his PC was not compromised by malware, according to a preliminary investigation.

The article offers a visualization of how the phishing emails sent to Bui were designed to work as well as a similar tear down of other elements of the hacker’s cyber-tradecraft.

Industrial secrets

The OceanLotus group has also been implicated in attacks against Chinese government agencies, in an apparent attempt to get intel about the coronavirus, as well as separate attacks against South East Asian businesses.

The group’s alleged activities in Germany featured attempts to steal industrial secrets from BMW.

Investigative reporter and coder Hakan, a researcher who worked closely with the German news outlets on their investigation, told The Daily Swig: “From what we’ve heard, this group is targeting mainly entities that have a connection to Vietnam, be it in the political realm (NGOs), religious groups or even protests around the toxic spill that happened a while back. Industrial espionage – the car company targeting – as far I understand caught everybody by surprise.”

“I don't think that there are other APT-style groups in Vietnam,” he added.

Marc-Etienne M.Léveillé, a malware researcher at ESET who has been tracking OceanLotus "off-and-on" for some years, confirmed that Vietnamese dissidents and activists are among its targets.

"Most of the OceanLotus' targets we see are in Laos, Cambodia and Vietnam but some campaigns suggest China is also targeted by OceanLotus," M.Léveillé told The Daily Swig.

"OceanLotus uses both off-the-shelf malware such as Cobalt Strike as a first stage malware and then deploy custom malware such as Denis to targets they find interesting.".

Ocean’s Command86

CrowdStrike reckons APT32 is a unit in the Vietnamese military, called Command86. The number of personnel in the unit is unconfirmed but its activities are wide ranging.

In April 2020, researchers from Kaspersky disclosed how the same OceanLotus group was using the Google Play Store to distribute malware.

Earlier this month, security firm Volexity warned that OceanLotus was using fake websites (some many touting news in Vietnamese) and Facebook pages as the launching pads for an array of attacks.

“In addition to targeting those within Vietnam, Volexity has seen renewed targeting of OceanLotus’s neighbors throughout Southeast Asia,” it reported.

“These websites have been observed profiling users, redirecting to phishing pages, and being leveraged to distribute malware payloads for Windows and OSX.”

This story was updated to add comments from security researcher Marc-Etienne M.Léveillé

RELATED Covid-19 cyber-espionage: Vietnam blamed for attacks on Chinese government