Suspected Vietnamese
cyber-spies targeting dissidents in Germany
The Daily Swig |
09 November 2020
An investigation by
German broadcaster BR and weekly newspaper Zeit Online has revealed how the
OceanLotus (APT32) group are using spear-phishing, watering hole (compromised
legitimate websites) and similar tactics to target Vietnamese expatriates in
Germany.
BACKGROUND APT32
unmasked: Researchers shine light on the notorious hacking group
The article tells the story of those targeted, offering a rare victim-centric
perspective on the use of cyber-espionage to targets dissidents and human rights
activists.
For example, Berlin-based Vietnamese blogger Bui Thanh Hieu talks of his fears
that any successful malware attack
on his computer could expose the identities of people in his home nation that
are feeding him intelligence.
Bui clicked on links to phishing emails,
but his PC was not compromised by malware, according to a preliminary
investigation.
The article offers a visualization of how the phishing emails sent to Bui were
designed to work as well as a similar tear down of other elements of the
hacker’s cyber-tradecraft.
Industrial secrets
The OceanLotus group has also been implicated in attacks against
Chinese government agencies, in an apparent attempt to get intel about the
coronavirus, as well as separate attacks against South
East Asian businesses.
The group’s alleged activities in Germany featured attempts to steal industrial
secrets from BMW.
Investigative reporter and coder Hakan, a researcher who worked closely with the
German news outlets on their investigation, told The Daily Swig: “From
what we’ve heard, this group is targeting mainly entities that have a connection
to Vietnam, be it in the political realm (NGOs), religious groups or even
protests around the toxic spill that happened a while back. Industrial espionage
– the car company targeting – as far I understand caught everybody by surprise.”
“I don't think that there are other APT-style groups in Vietnam,” he added.
Ocean’s Command86
CrowdStrike reckons APT32 is a unit in the Vietnamese military, called
Command86. The number of personnel in the unit is unconfirmed but its activities
are wide ranging.
In April 2020, researchers from Kaspersky disclosed how
the same OceanLotus group was using the Google Play Store to distribute malware.
Earlier this month, security firm Volexity warned that OceanLotus was using fake
websites (some many touting news in Vietnamese) and Facebook pages as the
launching pads for an array of attacks.
“In addition to targeting those within Vietnam, Volexity has seen renewed
targeting of OceanLotus’s neighbors throughout Southeast Asia,” it reported.
“These websites have been observed profiling users, redirecting to phishing
pages, and being leveraged to distribute malware payloads for Windows and OSX.”
Vietnam Human Rights Network |