Facebook links notorious OceanLotus cyber gang with Vietnamese IT company
This rare public attribution has been denied by the local IT services company
Facebook’s threat intelligence unit has accused the Vietnamese IT company CyberOne Group of harbouring concrete links with the notorious international hacking collective APT32, also known as OceanLotus.
APT32 is a Vietnamese group that’s been primarily linked with targeting human rights activists locally and foreign governments abroad, as well as several companies in various industries. The group was linked with a cyber attack against Toyota in 2019, for example, as well as a recent campaign to hide malware on the Google Play Store.
“The latest activity we investigated and disrupted has the hallmarks of a well-resourced and persistent operation focusing on many targets at once, while obfuscating their origin,” said Facebook’s head of security policy Nathaniel Gleicher and cyber threat intelligence manager Mike Dvilyanski.
“We shared our findings including YARA rules and malware signatures with our industry peers so they too can detect and stop this activity. To disrupt this operation, we blocked associated domains from being posted on our platform, removed the group’s accounts and notified people who we believe were targeted by APT32.”
It’s rare for such attributions to be so precise, especially with regards to allegedly state-backed organisations, given how many variables are involved, with companies cautious not to make incorrect accusations.
Despite the public nature of Facebook’s statement, however, little information has been shared as to the exact links between OceanLotus and CyberOne Group, however, and the company itself has denied all affiliations with the group.
“We are NOT Ocean Lotus,” an individual operating the firm’s now-suspended Facebook page told Reuters. “It’s a mistake.”
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Facebook said in a blog post that the APT32 cyber crime activity it’s detected traces back to this company, adding to Reuters that its threat intelligence team found technical evidence linking CyberOne’s Facebook page to accounts used in hacking campaigns.
The firm withheld the exact evidence, however, suggesting that doing so would make the group more difficult to track in the future, although this apparently includes online infrastructure, malicious code, and other hacking tools and techniques.
The outfit has been accused of deploying a wide range of adversarial tactics across the internet to target its victims. These include social engineering, developing malicious Play Store apps, and spreading malware through conventional means.
Its malware propagation technique involves an attack method known as a watering hole attack, in which hackers compromise websites and create their own to include obfuscated malicious JavaScript elements to track victims’ browser information. OceanLotus built custom malware capable of detecting the type of operating system a target uses, before sending a tailored payload that executes the malicious code.
Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.