Ocean Lotus Group/APT 32 identified as Vietnamese APT group

News by Max Metzger

Vietnam has gotten its first designated APT group, notable for being used in regulatory matters, marking rise of advanced APT groups from even small countries.

The Ocean Lotus Group, otherwise known as APT32, has been identified as Vietnamese according to FireEye. The group's new status  marks the rising tide of capability that allows even small countries to develop advanced and fearsome capability.

The group's links with the Vietnamese state were apparently established in a recent blogpost by FireEye. The group has been in operation since at least 2014, when the company first observed it going after international companies involved in the manufacturing, consumer products and hospitality sectors of Vietnam. It has apparently gone after plenty of name-brands, although none were named by FireEye.

Ocean Lotus Group has also targeted foreign governments, dissidents, journalists and critics of the Vietnamese state. In 2015 and 16, the group was spotted infiltrating Vietnamese media with its unique malware. Even this year, APT 32 social engineering lures were used against members of the Vietnamese diaspora in nearby Australia.

Attribution is far from a perfect science. Advanced groups will often use the malware of others and route their attacks through multiple countries, making true identification difficult. Nick Carr, senior manager for Mandiant incident response at FireEye and the author of the post told SC Media UK that, “APT32 accessed personnel details and other data from multiple victim organisations that would be of very little use of to any party other than the Vietnamese government.”

Furthermore, Carr adds, the timings of its operations coincided with moments of regulatory engagement that the target had with the Vietnamese government. It appears that in a number of cases the group was trying to assess its target's compliance with Vietnamese law. This, said Carr, “is unusual and a significant departure from the wide scale intellectual property theft and espionage we saw from Chinese groups.”

The group seems to have ample resources, support and talent. APT 32 has proven itself quite adept at stealthily creeping in and out of its targets' networks, clearing event log entries and hiding their power-shell based tools. It uses a wide variety of signature malware, such as WINDSHIELD AND KOMPROGO, as well as a large amount of domains and IP addresses as its C&C infrastructure. It may even have backdoor development capabilities for MacOs.

As more and more countries gain access to advanced and inexpensive offensive capabilities, more APT groups enter the fray to compete with the likes of Russia, China and the US. it has simply become easier and cheaper to attain advanced offensive capabilities. Jens Monrad, senior intel analyst at FireEye explained, “In cyber-security, offensive techniques have matured faster than defence in many organisations. Offensive operations by more developed nations have shown the world that cyber activity can deliver significant results with little blowback. APTs are not judged by the size of the nations from which they originated, so sophisticated attacks are being launched from what could be considered less developed countries.

This shows no  signs of halting, added Monrad, “With the continued digitisation around the globe, where citizens, consumers, businesses and governments are becoming more connected, we expect to see the capabilities of these nations continue to proliferate which will inspire other regions to do the same.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews