OceanLotus

Last updated

OceanLotus, also known as APT32, BISMUTH, or Canvas Cyclone, [1] is a hacker group associated with the government of Vietnam. [2] [3] [4] [5] It has been accused of cyberespionage targeting political dissidents, government officials, and businesses with ties to Vietnam. [6]

History

In 2020, Bloomberg reported that OceanLotus had targeted China's Ministry of Emergency Management and the Wuhan municipal government in order to obtain information about the COVID-19 pandemic. The Vietnamese Ministry of Foreign Affairs called the accusations unfounded. [7] [8] [9]

In 2020, Kaspersky researchers disclosed that OceanLotus had been using the Google Play Store to distribute malware. In November 2020 Volexity researchers disclosed that OceanLotus had set up fake news websites and Facebook pages to both engage in web profiling and distribute malware. [10] [11] According to reports, Facebook traced the group's activities to an IT company called CyberOne Group in Ho Chi Minh City. [12]

In February 2021, Amnesty International reported that OceanLotus had launched a number of spyware attacks against Vietnamese human rights activists, including Bui Thanh Hieu. [13]

In March 2021, it was reported that the group's operations were impacted by a fire at an OVH data center in France. [14]

Related Research Articles

The Government of China is engaged in espionage overseas, directed through diverse methods via the Ministry of State Security (MSS), the Ministry of Public Security (MPS), the United Front Work Department (UFWD), People's Liberation Army (PLA) via its Intelligence Bureau of the Joint Staff Department, and numerous front organizations and state-owned enterprises. It employs a variety of tactics including cyber espionage to gain access to sensitive information remotely, signals intelligence, human intelligence as well as influence operations through united front activity targeting overseas Chinese communities and associations. The Chinese government is also engaged in industrial espionage aimed at gathering information and technology to bolster its economy, as well as transnational repression of dissidents abroad such as supporters of the Tibetan independence movement and Uyghurs as well as the Taiwan independence movement, the Hong Kong independence movement, Falun Gong, pro-democracy activists, and other critics of the Chinese Communist Party (CCP). The United States alleges that the degree of intelligence activity is unprecedented in its assertiveness and engagement in multiple host countries, particularly the United States, to which various US officials contend economic damages, prosperity and stolen innovations have resulted in $US320-445 billion annually since its inception and activities.

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat groups, against other countries.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

<span class="mw-page-title-main">PLA Unit 61398</span> Chinese advanced persistent threat unit

PLA Unit 61398 is the Military Unit Cover Designator (MUCD) of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks. The unit is stationed in Pudong, Shanghai.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Lazarus Group is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2015–16 cyber attacks on the Democratic National Committee (DNC), and the 2016 email leak involving the DNC.

On 29 July 2016, a group suspected coming from China launched hacker attacks on the website of Vietnam Airlines with client information leaked and on flight information screens at Vietnam's 2 biggest airports, Tan Son Nhat International Airport and Noi Bai International Airport, posting derogatory messages against Vietnam and the Philippines in their territorial row against China in the South China Sea.

The public opinion brigades is a state-sponsored web brigade of the Communist Party of Vietnam or linked to the Communist Government of Vietnam.

Red Apollo is a Chinese state-sponsored cyberespionage group which has operated since 2006. In a 2018 indictment, the United States Department of Justice attributed the group to the Tianjin State Security Bureau of the Ministry of State Security.

Double Dragon is a hacking organization with alleged ties to the Chinese Ministry of State Security (MSS). Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.

Bùi Thanh Hiếu is a Vietnamese human rights activist and blogger under the username Người Buôn Gió.. In 2009 Hiếu was detained for ten days by the Vietnamese government for "abusing democratic freedoms to infringe upon the interests of the State." As of 2021 he lives in exile in Germany with his son.

Hafnium is a cyber espionage group, sometimes known as an advanced persistent threat, with alleged ties to the Chinese government. Hafnium is closely connected to APT40.

<span class="mw-page-title-main">2022 Ukraine cyberattacks</span> Attack on Ukrainian government and websites

During the prelude to the 2022 Russian invasion of Ukraine and the 2022 Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.

Pipedream is a software framework for malicious code targeting programmable logic controllers (PLCs) and industrial control systems (ICS). First publicly disclosed in 2022, it has been described as a "Swiss Army knife" for hacking. It is believed to have been developed by state-level Advanced Persistent Threat actors.

Gamaredon, also known as Primitive Bear, UNC530, ACTINIUM, or Aqua Blizzard is a Russian advanced persistent threat that has been active since at least 2013.

References

  1. "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.
  2. Panda, Ankit. "Offensive Cyber Capabilities and Public Health Intelligence: Vietnam, APT32, and COVID-19". Thediplomat.com. Retrieved 29 April 2020.
  3. Tanriverdi, Hakan; Zierer, Max; Wetter, Ann-Kathrin; Biermann, Kai; Nguyen, Thi Do (October 8, 2020). Nierle, Verena; Schöffel, Robert; Wreschniok, Lisa (eds.). "Lined up in the sights of Vietnamese hackers". Bayerischer Rundfunk. In Bui's case the traces lead to a group presumably acting on behalf of the Vietnamese state. Experts have many names for this group: APT 32 and Ocean Lotus are best known. In conversations with a dozen of information security specialists, they all agreed that this is a Vietnamese group spying, in particular, on its own compatriots.
  4. Hay Newman, Lilly. "An Up-Close View of the Notorious APT32 Hacking Group in Action". Wired.com. Retrieved 7 November 2020.
  5. "Vietnamese APT32 group is one of the most advanced APTs in the threat landscape". Cyberdefensemagazine.com. Retrieved 7 November 2020.
  6. Pearson, Jack Stubbs, James (2020-12-11). "Facebook tracks 'OceanLotus' hackers to IT firm in Vietnam". Reuters.com. Retrieved 2021-03-02.{{cite news}}: CS1 maint: multiple names: authors list (link)
  7. Jamie Tarabay (April 23, 2020). "Vietnamese Hackers Targeted China Officials at Heart of Outbreak". Bloomberg.com.
  8. Thayer, Carl. "Did Vietnamese Hackers Target the Chinese Government to Get Information on COVID-19?". Thediplomat.com.
  9. Hui, Mary. "Vietnam's early coronavirus response reportedly included hackers who targeted China". Qz.com.
  10. Vavra, Shannon. "Vietnamese hacking group OceanLotus uses imitation news sites to spread malware". Cyberscoop.com. Cyberscoop. Retrieved 7 November 2020.
  11. Franceschi-Bicchierai, Lorenzo. "Vietnamese Hackers Ran 'Fake News' Websites To Target Visitors". Vice.com. Retrieved 7 November 2020.
  12. "Facebook tracks 'OceanLotus' hackers to IT firm in Vietnam". Reuters.com. 11 December 2020. Retrieved 15 December 2021.
  13. "Vietnamese activists targeted by notorious hacking group". Amnesty.org. Retrieved 2021-03-02.
  14. Coble, Sarah (2021-03-15). "OVH Data Center Fire Impacts Cyber-criminals". Infosecurity-magazine.com. Retrieved 2021-03-15.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.