Suspected Vietnamese cyber-spies targeting dissidents in Germany
The Daily Swig |
09 November 2020
An investigation by German broadcaster BR and weekly newspaper Zeit Online has revealed how the OceanLotus (APT32) group are using spear-phishing, watering hole (compromised legitimate websites) and similar tactics to target Vietnamese expatriates in Germany.
The article tells the story of those targeted, offering a rare victim-centric perspective on the use of cyber-espionage to targets dissidents and human rights activists.
For example, Berlin-based Vietnamese blogger Bui Thanh Hieu talks of his fears that any successful malware attack on his computer could expose the identities of people in his home nation that are feeding him intelligence.
Bui clicked on links to phishing emails, but his PC was not compromised by malware, according to a preliminary investigation.
The article offers a visualization of how the phishing emails sent to Bui were designed to work as well as a similar tear down of other elements of the hacker’s cyber-tradecraft.
The OceanLotus group has also been implicated in attacks against Chinese government agencies, in an apparent attempt to get intel about the coronavirus, as well as separate attacks against South East Asian businesses.
The group’s alleged activities in Germany featured attempts to steal industrial secrets from BMW.
Investigative reporter and coder Hakan, a researcher who worked closely with the German news outlets on their investigation, told The Daily Swig: “From what we’ve heard, this group is targeting mainly entities that have a connection to Vietnam, be it in the political realm (NGOs), religious groups or even protests around the toxic spill that happened a while back. Industrial espionage – the car company targeting – as far I understand caught everybody by surprise.”
“I don't think that there are other APT-style groups in Vietnam,” he added.
CrowdStrike reckons APT32 is a unit in the Vietnamese military, called Command86. The number of personnel in the unit is unconfirmed but its activities are wide ranging.
In April 2020, researchers from Kaspersky disclosed how the same OceanLotus group was using the Google Play Store to distribute malware.
Earlier this month, security firm Volexity warned that OceanLotus was using fake websites (some many touting news in Vietnamese) and Facebook pages as the launching pads for an array of attacks.
“In addition to targeting those within Vietnam, Volexity has seen renewed targeting of OceanLotus’s neighbors throughout Southeast Asia,” it reported.
“These websites have been observed profiling users, redirecting to phishing pages, and being leveraged to distribute malware payloads for Windows and OSX.”