Facebook links notorious OceanLotus cyber gang with Vietnamese IT company

This rare public attribution has been denied by the local IT services company

The Vietnamese flag overlaid on a keyboard

Facebook’s threat intelligence unit has accused the Vietnamese IT company CyberOne Group of harbouring concrete links with the notorious international hacking collective APT32, also known as OceanLotus.

APT32 is a Vietnamese group that’s been primarily linked with targeting human rights activists locally and foreign governments abroad, as well as several companies in various industries. The group was linked with a cyber attack against Toyota in 2019, for example, as well as a recent campaign to hide malware on the Google Play Store.

“The latest activity we investigated and disrupted has the hallmarks of a well-resourced and persistent operation focusing on many targets at once, while obfuscating their origin,” said Facebook’s head of security policy Nathaniel Gleicher and cyber threat intelligence manager Mike Dvilyanski. 

“We shared our findings including YARA rules and malware signatures with our industry peers so they too can detect and stop this activity. To disrupt this operation, we blocked associated domains from being posted on our platform, removed the group’s accounts and notified people who we believe were targeted by APT32.”

It’s rare for such attributions to be so precise, especially with regards to allegedly state-backed organisations, given how many variables are involved, with companies cautious not to make incorrect accusations. 

Despite the public nature of Facebook’s statement, however, little information has been shared as to the exact links between OceanLotus and CyberOne Group, however, and the company itself has denied all affiliations with the group.

“We are NOT Ocean Lotus,” an individual operating the firm’s now-suspended Facebook page told Reuters. “It’s a mistake.”

Facebook said in a blog post that the APT32 cyber crime activity it’s detected traces back to this company, adding to Reuters that its threat intelligence team found technical evidence linking CyberOne’s Facebook page to accounts used in hacking campaigns. 

The firm withheld the exact evidence, however, suggesting that doing so would make the group more difficult to track in the future, although this apparently includes online infrastructure, malicious code, and other hacking tools and techniques.

The outfit has been accused of deploying a wide range of adversarial tactics across the internet to target its victims. These include social engineering, developing malicious Play Store apps, and spreading malware through conventional means. 

Its malware propagation technique involves an attack method known as a watering hole attack, in which hackers compromise websites and create their own to include obfuscated malicious JavaScript elements to track victims’ browser information. OceanLotus built custom malware capable of detecting the type of operating system a target uses, before sending a tailored payload that executes the malicious code.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

How to use machine learning and AI in cyber security
Security

How to use machine learning and AI in cyber security

30 Jul 2021
Chipotle’s marketing email hacked to send phishing emails
phishing

Chipotle’s marketing email hacked to send phishing emails

29 Jul 2021
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

29 Jul 2021
Colonial Pipeline hack spurred copycat attacks on other oil and gas companies
hacking

Colonial Pipeline hack spurred copycat attacks on other oil and gas companies

29 Jul 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021