In response to Fb, hackers supported by the Vietnamese authorities are linked to an IT firm


Facebook said it has linked an advanced hacking group, which is widely believed to be sponsored by the Vietnamese government, with what is supposedly a legitimate IT company in that country.

The so-called Advanced Persistent Threat Group belongs to the monikers APT32 and OceanLotus. It has been operational since at least 2014 and is aimed at private sector companies in a number of industries, as well as foreign governments, dissidents, and journalists in South Asia and elsewhere. It uses a variety of tactics, including phishing, to infect targets with full-featured desktop and mobile malware designed from the ground up. To gain the trust of the targets, the group goes to great lengths to create websites and online personas masquerading as legitimate people and organizations.

Earlier this year, researchers discovered at least eight unusually sophisticated Android apps hosted on Google Play and linked to the hacking group. Many of them have been there since at least 2018. OceanLotus has repeatedly bypassed Google's app review process by submitting partially harmless versions of the apps and later updating them to add backdoors and other malicious features.

FireEye released this detailed report on OceanLotus in 2017, and BlackBerry has more updated information here.

On Thursday, Facebook identified the Vietnamese IT company CyberOne Group as affiliated with OceanLotus. The group lists an address in Ho Chi Minh City.

Emails sent to the company seeking a comment returned an error message stating that the email server was configured incorrectly. However, a Reuters report on Friday quoted a person who runs the company's now-banned Facebook page: “We are NOT Ocean Lotus. It's a mistake."

At the time of this post, the company's website was also down. An archive of it from earlier on Friday is here.

According to Facebook, a recent investigation uncovered a number of notable tactics, techniques, and procedures, including:

  • Social Engineering: APT32 has created fictional personas on the internet posing as activists and corporations, or using romantic bait to get in touch with people they target. These efforts often included creating backstops for these fake personas and fake organizations in other internet services so that they could appear more legitimate and stand up to scrutiny, including by security researchers. Some of their pages are designed to attract specific followers for later phishing and malware targeting.
  • Malicious Play Store Apps: In addition to using Pages, APT32 lured targets to download Android applications from the Google Play Store, which had a variety of permissions to allow for extensive monitoring of people's devices.
  • Malware Spread: APT32 compromised websites and created its own websites to incorporate disguised malicious Javascript as part of their waterhole attack to track the target's browser information. A waterhole attack occurs when hackers infect websites that are frequently visited by intended targets in order to compromise their devices. As part of this, the group created custom malware that can detect the type of operating system (Windows or Mac) used by a target before sending a tailored payload that executes the malicious code. In line with the previous activities of this group, APT32 also used links to file sharing services where malicious files were hosted, clicked and downloaded targets. Most recently, they used shortened links to deliver malware. Finally, the group relied on dynamic-link library (DLL) side-loading attacks in Microsoft Windows applications. They developed malicious files in exe, rar, rtf and iso formats and delivered harmless Word documents with malicious links in the text.


The naming of the CyberOne Group is not the first time researchers have publicly linked a government-backed hacking group to real-life organizations. In 2013, researchers from Mandiant, now part of the security firm FireEye, identified a 12-story office tower in Shanghai, China, as the nerve center for Comment Crew, a hacking group responsible for hacking more than 140 organizations across the country seven years ago. The building was the headquarters of Unit 61398 of the People's Liberation Army.
In 2018, FireEye announced that a research laboratory in Russia was developing potentially life-threatening malware that tampered with the security mechanisms of an industrial facility in the Middle East.

Facebook said it would deprive OceanLotus of any opportunity to abuse the company's platform. Facebook said it expected the group's tactics to evolve, but that improved detection systems would make it difficult for the group to evade exposure.

Thursday's report does not include details of how Facebook linked OceanLotus to CyberOne Group, making it difficult for outside researchers to confirm the results. Facebook told Reuters that providing these details would provide the attackers and others like them with information that would enable them to evade detection in the future.


Steven Gregory