Facebook links notorious OceanLotus cyber gang with Vietnamese IT company

This rare public attribution has been denied by the local IT services company

The Vietnamese flag overlaid on a keyboard

Facebook’s threat intelligence unit has accused the Vietnamese IT company CyberOne Group of harbouring concrete links with the notorious international hacking collective APT32, also known as OceanLotus.

APT32 is a Vietnamese group that’s been primarily linked with targeting human rights activists locally and foreign governments abroad, as well as several companies in various industries. The group was linked with a cyber attack against Toyota in 2019, for example, as well as a recent campaign to hide malware on the Google Play Store.

“The latest activity we investigated and disrupted has the hallmarks of a well-resourced and persistent operation focusing on many targets at once, while obfuscating their origin,” said Facebook’s head of security policy Nathaniel Gleicher and cyber threat intelligence manager Mike Dvilyanski. 

“We shared our findings including YARA rules and malware signatures with our industry peers so they too can detect and stop this activity. To disrupt this operation, we blocked associated domains from being posted on our platform, removed the group’s accounts and notified people who we believe were targeted by APT32.”

It’s rare for such attributions to be so precise, especially with regards to allegedly state-backed organisations, given how many variables are involved, with companies cautious not to make incorrect accusations. 

Despite the public nature of Facebook’s statement, however, little information has been shared as to the exact links between OceanLotus and CyberOne Group, however, and the company itself has denied all affiliations with the group.

“We are NOT Ocean Lotus,” an individual operating the firm’s now-suspended Facebook page told Reuters. “It’s a mistake.”

Facebook said in a blog post that the APT32 cyber crime activity it’s detected traces back to this company, adding to Reuters that its threat intelligence team found technical evidence linking CyberOne’s Facebook page to accounts used in hacking campaigns. 

The firm withheld the exact evidence, however, suggesting that doing so would make the group more difficult to track in the future, although this apparently includes online infrastructure, malicious code, and other hacking tools and techniques.

The outfit has been accused of deploying a wide range of adversarial tactics across the internet to target its victims. These include social engineering, developing malicious Play Store apps, and spreading malware through conventional means. 

Its malware propagation technique involves an attack method known as a watering hole attack, in which hackers compromise websites and create their own to include obfuscated malicious JavaScript elements to track victims’ browser information. OceanLotus built custom malware capable of detecting the type of operating system a target uses, before sending a tailored payload that executes the malicious code.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Microsoft touts new cyber security help for nonprofits
cyber security

Microsoft touts new cyber security help for nonprofits

22 Oct 2021
Ofcom report reveals alarming uptick in smishing attacks
scams

Ofcom report reveals alarming uptick in smishing attacks

22 Oct 2021
Graylog launches new cyber security solution to address legacy issues
cyber security

Graylog launches new cyber security solution to address legacy issues

21 Oct 2021
US to ban surveillance software exports to authoritarian governments
cyber security

US to ban surveillance software exports to authoritarian governments

21 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021