In response to Fb, hackers supported by the Vietnamese authorities are linked to an IT firm
Facebook said it has linked an advanced hacking group, which is widely believed to be sponsored by the Vietnamese government, with what is supposedly a legitimate IT company in that country.
The so-called Advanced Persistent Threat Group belongs to the monikers APT32 and OceanLotus. It has been operational since at least 2014 and is aimed at private sector companies in a number of industries, as well as foreign governments, dissidents, and journalists in South Asia and elsewhere. It uses a variety of tactics, including phishing, to infect targets with full-featured desktop and mobile malware designed from the ground up. To gain the trust of the targets, the group goes to great lengths to create websites and online personas masquerading as legitimate people and organizations.
Earlier this year, researchers discovered at least eight unusually sophisticated Android apps hosted on Google Play and linked to the hacking group. Many of them have been there since at least 2018. OceanLotus has repeatedly bypassed Google's app review process by submitting partially harmless versions of the apps and later updating them to add backdoors and other malicious features.
FireEye released this detailed report on OceanLotus in 2017, and BlackBerry has more updated information here.
On Thursday, Facebook identified the Vietnamese IT company CyberOne Group as affiliated with OceanLotus. The group lists an address in Ho Chi Minh City.
Emails sent to the company seeking a comment returned an error message stating that the email server was configured incorrectly. However, a Reuters report on Friday quoted a person who runs the company's now-banned Facebook page: “We are NOT Ocean Lotus. It's a mistake."
At the time of this post, the company's website was also down. An archive of it from earlier on Friday is here.
According to Facebook, a recent investigation uncovered a number of notable tactics, techniques, and procedures, including:
- Social Engineering: APT32 has created fictional personas on the internet posing as activists and corporations, or using romantic bait to get in touch with people they target. These efforts often included creating backstops for these fake personas and fake organizations in other internet services so that they could appear more legitimate and stand up to scrutiny, including by security researchers. Some of their pages are designed to attract specific followers for later phishing and malware targeting.
- Malicious Play Store Apps: In addition to using Pages, APT32 lured targets to download Android applications from the Google Play Store, which had a variety of permissions to allow for extensive monitoring of people's devices.
The naming of the CyberOne Group is not the first time researchers have publicly linked a government-backed hacking group to real-life organizations. In 2013, researchers from Mandiant, now part of the security firm FireEye, identified a 12-story office tower in Shanghai, China, as the nerve center for Comment Crew, a hacking group responsible for hacking more than 140 organizations across the country seven years ago. The building was the headquarters of Unit 61398 of the People's Liberation Army.
In 2018, FireEye announced that a research laboratory in Russia was developing potentially life-threatening malware that tampered with the security mechanisms of an industrial facility in the Middle East.
Facebook said it would deprive OceanLotus of any opportunity to abuse the company's platform. Facebook said it expected the group's tactics to evolve, but that improved detection systems would make it difficult for the group to evade exposure.
Thursday's report does not include details of how Facebook linked OceanLotus to CyberOne Group, making it difficult for outside researchers to confirm the results. Facebook told Reuters that providing these details would provide the attackers and others like them with information that would enable them to evade detection in the future.