Facebook said it has linked an advanced hacking group, widely believed to be sponsored by the government of Vietnam, to what it claims is a legitimate IT company in that country.
The so-called advanced persistent threat group goes under the monikers APT32 and OceanLotus. It has been active since at least 2014, targeting private sector companies in a range of industries, along with foreign governments, dissidents and journalists in South Asia and elsewhere. It uses a variety of tactics, including phishing, to infect targets with full-featured desktop and mobile malware developed from scratch. To gain the trust of its targets, the group goes to great lengths to create websites and online personas that impersonate legitimate people and organizations.
Earlier this year, researchers discovered at least eight unusually sophisticated Android apps hosted on Google Play that were linked to the hacking group. Many of them have been around since at least 2018. OceanLotus repeatedly evaded Google’s app vetting process, in part by submitting benign versions of the apps and later updating them to add backdoors and other malicious functionality.
FireEye published this detailed report on OceanLotus in 2017 and BlackBerry has more recent information here.
On Thursday, Facebook identified Vietnamese IT company CyberOne Group as linked to OceanLotus. The group lists an address in Ho Chi Minh City.
Email sent to the company seeking comment returned an error that the email server was misconfigured. However, a Reuters report on Friday quoted a person who ran the company’s now-suspended Facebook page as saying, “We are NOT Ocean Lotus. It’s a mistake.”
At the time this message went live, the company’s website was also unavailable. An archive of it from earlier on Friday is here.
A recent investigation, Facebook said, revealed a variety of notable tactics, techniques and procedures, including:
- social engineering: APT32 created fictional personas on the Internet posing as activists and business entities, or used romantic lures in contacting people they targeted. These efforts often include creating backstops for these fake personas and fake organizations on other Internet services so that they appear more legitimate and resistant to close scrutiny, including by security researchers. Some of their pages are designed to lure certain followers for subsequent phishing and malware targeting.
- Malicious Play Store apps: In addition to using Pages, APT32 lured targets to download Android applications through the Google Play Store that had a wide range of permissions to enable broad surveillance of people’s devices.
The CyberOne Group naming isn’t the first time researchers have publicly linked a government-backed hacking group to real organizations. In 2013, researchers at Mandiant, now part of security firm FireEye, identified a 12-story office tower in Shanghai, China, as the nerve center for Comment Crew, a hacking group responsible for hacks on more than 140 organizations around the world. previous seven years. The building was the headquarters of unit 61398 of the People’s Liberation Army. And in 2018, FireEye said potentially life-threatening malware that tampered with the security mechanisms of an industrial facility in the Middle East was developed in a research lab in Russia.
Facebook said it would remove OceanLotus’ ability to abuse the company’s platform. Facebook said it expects the group’s tactics to evolve, but that improved detection systems will make it more difficult for the group to evade exposure.
Thursday’s report provides no specifics on how Facebook linked OceanLotus to CyberOne Group, making it difficult for outside researchers to confirm the finding. Facebook told Reuters that providing those details would give the attackers and others like them information that would allow them to evade detection in the future.