OceanLotus is a Vietnamese threat group formed in 2014 that conducts cyber espionage targeting organizations of interest to the Vietnamese government. It employs social engineering and exploits vulnerabilities to gain access to targets' systems and exfiltrate data. OceanLotus has targeted dissidents, journalists, foreign governments, and private industries in Southeast Asia. It leverages commercially available tools and custom malware to conduct operations aligned with Vietnamese state interests.
2. OCEANLOTUS
OceanLotus is also known by many other names
including APT32, APT-C-00, SeaLotus.
OceanLotus is a hacking threat group
formed in 2014 and based in Vietman.
3. OCEANLOTUS
Based on the calibre of OceanLotus’
targets; the hacking techniques employed;
and also their success rate, this threat
actor is amply supplied with hackers with
high-level skills and resources.
4. OCEANLOTUS
According to The MITRE Corp. (2021),
OceanLotus’ victims range from multiple
private sector industries, and foreign
governments to dissidents, and journalists
with a strong focus on Southeast Asian
countries like Vietnam, the Philippines, Laos,
and Cambodia.
5. OCEANLOTUS
OceanLotus' primary motivation is cyber
espionage. This threat actor continually
targets organizations of interest to the
Vietnamese government for surveillance and
data-exfiltration purposes.
6. OCEANLOTUS
According to Carr (2017), FireEye assesses that
OceanLotus leverages a unique suite of fully-
featured malware, in conjunction with
commercially-available tools, to conduct targeted
operations that are aligned with Vietnamese state
interests, manufacturing, consumer products, and
hospitality sectors.
7. OCEANLOTUS
Based on the Lockheed Martin Kill Chain
framework, OceanLotus conducts its
reconnaissance by identifying its specific targets.
These are mainly organizations of "special
interests" to the Vietnam government.
8. OCEANLOTUS
Once they have identified their targets, they
move on to weaponization by preparing and
determining how they will attack that particular
target - This may include coupling malware and
exploit into a deliverable payload.
9. OCEANLOTUS
According to The MITRE Corp. (2021), one of the
techniques utilized by OceanLotus is Enterprise
T1083 (File and Directory Discovery) - this
technique, once deployed, grants OceanLotus
the backdoor capability to list files and
directories on a targeted machine.
10. OCEANLOTUS
Once OceanLotus determines the weaponization
route, it then moves on to delivery and
exploitation. This enables it to gain access to it
target’s systems by exploiting the target’s
system's vulnerability.
11. OCEANLOTUS
This is then followed by installation. For
instance, Carr (2017) stated that OceanLotus has
been known to leverage ActiveMime files that
employ social engineering methods to entice the
victim into enabling macros. Upon execution,
the initialized file downloads multiple malicious
payloads from remote servers.
12. OCEANLOTUS
Once OceanLotus completes installation on their
victim's system, then it can command and
control its victim's system - it can conduct its
espionage activities amongst other malicious
objectives.
13. OCEANLOTUS
In 2017, social engineering content in lures used by the
OceanLotus provided evidence that they were likely
used to target members of the Vietnam diaspora in
Australia as well as government employees in the
Philippines (Carr, 2017).
In 2014, OceanLotus leveraged a spear-phishing
attachment titled “Plans to crackdown on protesters at the
Embassy of Vietnam.exe," which targeted dissident
activity among the Vietnamese diaspora in Southeast Asia
(Carr, 2017).
OceanLotus Target
Examples
14. OCEANLOTUS
Target Examples Contd.
In 2018, a MacOS backdoor was discovered. It was
believed that it was the latest version of a threat used by
OceanLotus. The macOS backdoor was discovered in a
malicious Word document that was most likely distributed
via email. The document claims to be a registration form
for an event with HDMC, an organization in Vietnam that
advertises national independence and democracy. Upon
receiving the malicious document, the user is advised to
enable macros. Unsuspecting users who followed as
directed inadvertently installed malware backdoor into
their system (Horejsi, 2018).
15. OCEANLOTUS
OceanLotus would be considered as both a private
problem for businesses and also a public concern
for policymakers. This threat actor has launched
cyber espionage campaigns against Chinese targets,
including ocean affairs agencies, the departments in
charge of China’s territorial waters, research
institutes, and aviation, aeronautics, and shipping
companies. These clearly show that no one is
spared from this threat actors’ attacks.
16. OCEANLOTUS
Policymakers needs to continually respond to the
threat OceanLotus posses by enacting more
cybersecurity laws that mandates that various
societal sectors including business, utilities,
financial, healthcare, and government ensure the
security of their systems and data to prevent
attacks from threat actor like OceanLotus and
others.
17. OCEANLOTUS
Carr, N. (2017, May 14). Cyber espionage is alive and well: APT32 and the
threat to Global Corporations. Mandiant. Retrieved September 12, 2022, from
https://www.mandiant.com/resources/blog/cyber-espionage-apt32
Horejsi, J. (2018, April 4). New macos backdoor linked to Oceanlotus found.
Trend Micro. Retrieved September 12, 2022, from
https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-
linked-to-oceanlotus-found.html
The MITRE Corporation. (2021, October 14). APT32. attack.mitre.org.
Retrieved September 12, 2022, from
https://attack.mitre.org/groups/G0050/
References