Facebook links notorious OceanLotus cyber gang with Vietnamese IT company

This rare public attribution has been denied by the local IT services company

The Vietnamese flag overlaid on a keyboard

Facebook’s threat intelligence unit has accused the Vietnamese IT company CyberOne Group of harbouring concrete links with the notorious international hacking collective APT32, also known as OceanLotus.

APT32 is a Vietnamese group that’s been primarily linked with targeting human rights activists locally and foreign governments abroad, as well as several companies in various industries. The group was linked with a cyber attack against Toyota in 2019, for example, as well as a recent campaign to hide malware on the Google Play Store.

“The latest activity we investigated and disrupted has the hallmarks of a well-resourced and persistent operation focusing on many targets at once, while obfuscating their origin,” said Facebook’s head of security policy Nathaniel Gleicher and cyber threat intelligence manager Mike Dvilyanski. 

“We shared our findings including YARA rules and malware signatures with our industry peers so they too can detect and stop this activity. To disrupt this operation, we blocked associated domains from being posted on our platform, removed the group’s accounts and notified people who we believe were targeted by APT32.”

It’s rare for such attributions to be so precise, especially with regards to allegedly state-backed organisations, given how many variables are involved, with companies cautious not to make incorrect accusations. 

Despite the public nature of Facebook’s statement, however, little information has been shared as to the exact links between OceanLotus and CyberOne Group, however, and the company itself has denied all affiliations with the group.

“We are NOT Ocean Lotus,” an individual operating the firm’s now-suspended Facebook page told Reuters. “It’s a mistake.”

Facebook said in a blog post that the APT32 cyber crime activity it’s detected traces back to this company, adding to Reuters that its threat intelligence team found technical evidence linking CyberOne’s Facebook page to accounts used in hacking campaigns. 

The firm withheld the exact evidence, however, suggesting that doing so would make the group more difficult to track in the future, although this apparently includes online infrastructure, malicious code, and other hacking tools and techniques.

The outfit has been accused of deploying a wide range of adversarial tactics across the internet to target its victims. These include social engineering, developing malicious Play Store apps, and spreading malware through conventional means. 

Its malware propagation technique involves an attack method known as a watering hole attack, in which hackers compromise websites and create their own to include obfuscated malicious JavaScript elements to track victims’ browser information. OceanLotus built custom malware capable of detecting the type of operating system a target uses, before sending a tailored payload that executes the malicious code.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

22 Sep 2020
Global ransom DDoS extortionists are retargeting companies
distributed denial of service (DDOS)

Global ransom DDoS extortionists are retargeting companies

22 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021

Most Popular

School laptops sent by government arrive loaded with malware
malware

School laptops sent by government arrive loaded with malware

21 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021