A new report from FireEye found APT32 leverages a unique suite of fully-featured malware to conduct targeted attacks aligned with Vietnamese state interests. Its targets are headquartered in the UK, US, Germany, China, the Philippines and Vietnam.
FireEye has observed the campaign targeting foreign corporations with an interest in Vietnam's manufacturing, products and hospitality sectors since at least 2014.
The company has also indicated that APT32 is targeting peripheral network security and technology infrastructure corporations and consulting firms that may have connections with foreign investors.
APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalists.
In the current campaign, APT32 has leveraged ActiveMime files that employ social engineering methods to tempt the victim into enabling macros. Once executed, the initialised file downloads multiple malicious payloads from remote servers. Actors continue to deliver the malicious attachments via spear-phishing emails.
Multilingual lure documents were designed for specific victims. The files had “.doc” extensions, but the recovered phishing lures were ActiveMime “.mht” web page archives that contained text and images.
The report recognises the need for public awareness of these threats and new dialogue around emerging nation-state intrusions that go beyond public sector and intelligence targets.
A full technical outline of APT32's infrastructure, tactics and detection of the campaign can be found here.
In a news release Q&A discussion of APT32, Nick Carr, senior manager for mandiant incident response at FireEye, said: “APT32 accessed personnel details and other data from multiple victim organisations that would be of very little use to any party other than the Vietnamese government. Additionally, the timing of APT32's intrusions appears to correspond with many of its victims' engagements with the Vietnamese government on regulatory matters.
“In several cases it appeared APT32 was conducting intrusions to investigate the victim's operations and assess their adherence to regulations. This is unusual and a significant departure from the wide scale intellectual property theft and espionage we saw from Chinese groups.”
“Conducting business internationally has always involved additional risks for firms. Today boards need to add cyber-risks to the list of their concerns. It's now clear firms need to add another significant item to the list of risks associated with international business: cyber-attacks,” Carr said when asked if more should be expected of this from APT32.