Facebook links notorious OceanLotus cyber gang with Vietnamese IT company

This rare public attribution has been denied by the local IT services company

The Vietnamese flag overlaid on a keyboard

Facebook’s threat intelligence unit has accused the Vietnamese IT company CyberOne Group of harbouring concrete links with the notorious international hacking collective APT32, also known as OceanLotus.

APT32 is a Vietnamese group that’s been primarily linked with targeting human rights activists locally and foreign governments abroad, as well as several companies in various industries. The group was linked with a cyber attack against Toyota in 2019, for example, as well as a recent campaign to hide malware on the Google Play Store.

“The latest activity we investigated and disrupted has the hallmarks of a well-resourced and persistent operation focusing on many targets at once, while obfuscating their origin,” said Facebook’s head of security policy Nathaniel Gleicher and cyber threat intelligence manager Mike Dvilyanski. 

“We shared our findings including YARA rules and malware signatures with our industry peers so they too can detect and stop this activity. To disrupt this operation, we blocked associated domains from being posted on our platform, removed the group’s accounts and notified people who we believe were targeted by APT32.”

It’s rare for such attributions to be so precise, especially with regards to allegedly state-backed organisations, given how many variables are involved, with companies cautious not to make incorrect accusations. 

Despite the public nature of Facebook’s statement, however, little information has been shared as to the exact links between OceanLotus and CyberOne Group, however, and the company itself has denied all affiliations with the group.

“We are NOT Ocean Lotus,” an individual operating the firm’s now-suspended Facebook page told Reuters. “It’s a mistake.”

Facebook said in a blog post that the APT32 cyber crime activity it’s detected traces back to this company, adding to Reuters that its threat intelligence team found technical evidence linking CyberOne’s Facebook page to accounts used in hacking campaigns. 

The firm withheld the exact evidence, however, suggesting that doing so would make the group more difficult to track in the future, although this apparently includes online infrastructure, malicious code, and other hacking tools and techniques.

The outfit has been accused of deploying a wide range of adversarial tactics across the internet to target its victims. These include social engineering, developing malicious Play Store apps, and spreading malware through conventional means. 

Its malware propagation technique involves an attack method known as a watering hole attack, in which hackers compromise websites and create their own to include obfuscated malicious JavaScript elements to track victims’ browser information. OceanLotus built custom malware capable of detecting the type of operating system a target uses, before sending a tailored payload that executes the malicious code.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

23 Mar 2021
Geico data breach leads to stolen driver’s license numbers
data breaches

Geico data breach leads to stolen driver’s license numbers

21 Apr 2021
UK’s IoT security regulation will also include smartphones
Internet of Things (IoT)

UK’s IoT security regulation will also include smartphones

21 Apr 2021
eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020
phishing

eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020

20 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
UK exploring plans to launch its own digital currency
digital currency

UK exploring plans to launch its own digital currency

19 Apr 2021