OceanLotus, also named APT32, BISMUTH, Ocean Buffalo by CrowdStrike, or Canvas Cyclone by Microsoft, [1] is a hacker group associated with the government of Vietnam. [2] [3] [4] [5] It has been accused of cyberespionage targeting political dissidents, government officials, and businesses with ties to Vietnam. [6]
In April 2020, Bloomberg reported that OceanLotus had targeted China's Ministry of Emergency Management and the Wuhan municipal government in order to obtain information about the COVID-19 pandemic. The Vietnamese Ministry of Foreign Affairs called the accusations unfounded. [7] [8] [9]
In November, Kaspersky researchers disclosed that OceanLotus had been using the Google Play Store to distribute malware. Volexity researchers disclosed that OceanLotus had set up fake news websites and Facebook pages to both engage in web profiling and distribute malware. [10] [11] According to reports, Facebook traced the group's activities to an IT company called CyberOne Group in Ho Chi Minh City. [12]
In February 2021, Amnesty International reported that OceanLotus had launched a number of spyware attacks against Vietnamese human rights activists, including Bùi Thanh Hiếu. [13]
In March 2021, it was reported that the group's operations were impacted by a fire at an OVHcloud data centre in France. [14]
The Government of China is engaged in espionage overseas, directed through diverse methods via the Ministry of State Security (MSS), the Ministry of Public Security (MPS), the United Front Work Department (UFWD), People's Liberation Army (PLA) via its Intelligence Bureau of the Joint Staff Department, and numerous front organizations and state-owned enterprises. It employs a variety of tactics including cyber espionage to gain access to sensitive information remotely, signals intelligence, human intelligence as well as influence operations through united front activity targeting overseas Chinese communities and associations. The Chinese government is also engaged in industrial espionage aimed at gathering information and technology to bolster its economy, as well as transnational repression of dissidents abroad such as supporters of the Tibetan independence movement and Uyghurs as well as the Taiwan independence movement, the Hong Kong independence movement, Falun Gong, pro-democracy activists, and other critics of the Chinese Communist Party (CCP). The United States alleges that the degree of intelligence activity is unprecedented in its assertiveness and engagement in multiple host countries, particularly the United States, with economic damages estimated to run into the hundreds of billions according to the Center for Strategic and International Studies.
Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.
A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.
Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.
Operation Aurora was a series of cyber attacks performed by advanced persistent threats such as the Elderwood Group based in Beijing, China, with associations with the People's Liberation Army. First disclosed publicly by Google on January 12, 2010, by a weblog post, the attacks began in mid-2009 and continued through December 2009.
An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.
Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat (APT) groups, against other countries.
Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.
Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.
Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.
Anomali Inc. is an American cybersecurity company that develops and provides threat intelligence products. In 2023, the company moved into providing security analytics powered by artificial intelligence (AI).
Red Apollo is a Chinese state-sponsored cyberespionage group which has operated since 2006. In a 2018 indictment, the United States Department of Justice attributed the group to the Tianjin State Security Bureau of the Ministry of State Security.
Double Dragon is a hacking organization with alleged ties to the Chinese Ministry of State Security (MSS). Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.
In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.
Bùi Thanh Hiếu is a Vietnamese human rights activist and blogger under the username Người Buôn Gió.. In 2009, Bùi was detained for ten days by the Vietnamese government for "abusing democratic freedoms to infringe upon the interests of the State." As of 2021 he lives in exile in Germany with his son.
A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).
Hafnium is a cyber espionage group, sometimes known as an advanced persistent threat, with alleged ties to the Chinese government. Hafnium is closely connected to APT40.
During the prelude to the Russian invasion of Ukraine and the Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.
Gamaredon, also known as Primitive Bear, UNC530, ACTINIUM, or Aqua Blizzard is a Russian advanced persistent threat that has been active since at least 2013.
In Bui's case the traces lead to a group presumably acting on behalf of the Vietnamese state. Experts have many names for this group: APT 32 and Ocean Lotus are best known. In conversations with a dozen of information security specialists, they all agreed that this is a Vietnamese group spying, in particular, on its own compatriots.
{{cite news}}
: CS1 maint: multiple names: authors list (link)