OceanLotus

Last updated

OceanLotus, also named APT32, BISMUTH, Ocean Buffalo by CrowdStrike, or Canvas Cyclone by Microsoft, [1] is a hacker group allegedly associated with the government of Vietnam. The founding member is identified as meli0das. [2] [3] [4] [5] It has been accused of cyberespionage targeting political dissidents, government officials, and businesses with ties to Vietnam. [6]

Contents

History

In April 2020, Bloomberg reported that OceanLotus had targeted China's Ministry of Emergency Management and the Wuhan municipal government in order to obtain information about the COVID-19 pandemic. The Vietnamese Ministry of Foreign Affairs called the accusations unfounded. [7] [8] [9]

In November, Kaspersky researchers disclosed that OceanLotus had been using the Google Play Store to distribute malware. Volexity researchers disclosed that OceanLotus had set up fake news websites and Facebook pages to both engage in web profiling and distribute malware. [10] [11] According to reports, Facebook traced the group's activities to an IT company called CyberOne Group in Ho Chi Minh City. [12]

In February 2021, Amnesty International reported that OceanLotus had launched a number of spyware attacks against Vietnamese human rights activists, including Bùi Thanh Hiếu. [13]

In March 2021, it was reported that the group's operations were impacted by a fire at an OVHcloud data centre in France. [14]

Related Research Articles

The government of the People's Republic of China is engaged in espionage overseas, directed through diverse methods via the Ministry of State Security (MSS), the Ministry of Public Security (MPS), the United Front Work Department (UFWD), People's Liberation Army (PLA) via its Intelligence Bureau of the Joint Staff Department, and numerous front organizations and state-owned enterprises. It employs a variety of tactics including cyber espionage to gain access to sensitive information remotely, signals intelligence, human intelligence as well as influence operations through united front activity targeting overseas Chinese communities and associations. The Chinese government is also engaged in industrial espionage aimed at gathering information and technology to bolster its economy, as well as transnational repression of dissidents abroad such as supporters of the Tibetan independence movement and Uyghurs as well as the Taiwan independence movement, the Hong Kong independence movement, Falun Gong, pro-democracy activists, and other critics of the Chinese Communist Party (CCP). The United States alleges that the degree of intelligence activity is unprecedented in its assertiveness and engagement in multiple host countries, particularly the United States, with economic damages estimated to run into the hundreds of billions according to the Center for Strategic and International Studies.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Operation Aurora was a series of cyber attacks performed by advanced persistent threats such as the Elderwood Group based in Beijing, China, with associations with the People's Liberation Army. First disclosed publicly by Google on January 12, 2010, by a weblog post, the attacks began in mid-2009 and continued through December 2009.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Cyberwarfare by China is the aggregate of cyberattacks attributed to the organs of the People's Republic of China and various related advanced persistent threat (APT) groups.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

Cyberwarfare is a part of the Iranian government's "soft war" military strategy. Being both a victim and wager of cyberwarfare, Iran is considered an emerging military power in the field. Since November 2010, an organization called "The Cyber Defense Command" has been operating in Iran under the supervision of the country's "Passive Civil Defense Organization" which is itself a subdivision of the Joint Staff of Iranian Armed Forces.

Cozy Bear is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries. Dutch signals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and was able to link the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in their office. CrowdStrike and Estonian intelligence reported a tentative link to the Russian domestic/foreign intelligence agency (FSB). Various groups designate it CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452 with a tentative connection to Russian hacker group YTTRIUM. Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010. Der Spiegel published documents in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.

The Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the group, researchers have attributed many cyberattacks to them since 2010.

Red Apollo is a Chinese state-sponsored cyberespionage group which has operated since 2006. In a 2018 indictment, the United States Department of Justice attributed the group to the Tianjin State Security Bureau of the Ministry of State Security.

Double Dragon is a hacker group with alleged ties to the Chinese Ministry of State Security (MSS). Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.

Bùi Thanh Hiếu is a Vietnamese human rights activist and blogger under the username Người Buôn Gió.. In 2009, Bùi was detained for ten days by the Vietnamese government for "abusing democratic freedoms to infringe upon the interests of the State." As of 2021 he lives in exile in Germany with his son.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

Hafnium is a cyber espionage group, sometimes known as an advanced persistent threat, with alleged ties to the Chinese government. Hafnium is closely connected to APT40.

Pipedream is a software framework for malicious code targeting programmable logic controllers (PLCs) and industrial control systems (ICS). First publicly disclosed in 2022, it has been described as a "Swiss Army knife" for hacking. It is believed to have been developed by state-level Advanced Persistent Threat actors.

Gamaredon, also known as Primitive Bear, UNC530, ACTINIUM, or Aqua Blizzard is a Russian advanced persistent threat that has been active since at least 2013.

<span class="mw-page-title-main">Hubei State Security Department</span> Regional branch of Chinas Ministry of State Security

The Hubei State Security Department is the regional branch of the Chinese Ministry of State Security (MSS) responsible for national security and secret policing in Hubei province of central China. Founded in 1993, it is headquartered in the provincial capital of Wuhan, with subordinate offices in cities and towns across the province.

References

  1. "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.
  2. Panda, Ankit. "Offensive Cyber Capabilities and Public Health Intelligence: Vietnam, APT32, and COVID-19". Thediplomat.com. Retrieved 29 April 2020.
  3. Tanriverdi, Hakan; Zierer, Max; Wetter, Ann-Kathrin; Biermann, Kai; Nguyen, Thi Do (October 8, 2020). Nierle, Verena; Schöffel, Robert; Wreschniok, Lisa (eds.). "Lined up in the sights of Vietnamese hackers". Bayerischer Rundfunk. In Bui's case the traces lead to a group presumably acting on behalf of the Vietnamese state. Experts have many names for this group: APT 32 and Ocean Lotus are best known. In conversations with a dozen of information security specialists, they all agreed that this is a Vietnamese group spying, in particular, on its own compatriots.
  4. Hay Newman, Lilly. "An Up-Close View of the Notorious APT32 Hacking Group in Action". Wired.com. Retrieved 7 November 2020.
  5. "Vietnamese APT32 group is one of the most advanced APTs in the threat landscape". Cyberdefensemagazine.com. Retrieved 7 November 2020.
  6. Pearson, Jack Stubbs, James (2020-12-11). "Facebook tracks 'OceanLotus' hackers to IT firm in Vietnam". Reuters.com. Retrieved 2021-03-02.{{cite news}}: CS1 maint: multiple names: authors list (link)
  7. Jamie Tarabay (April 23, 2020). "Vietnamese Hackers Targeted China Officials at Heart of Outbreak". Bloomberg.com.
  8. Thayer, Carl. "Did Vietnamese Hackers Target the Chinese Government to Get Information on COVID-19?". Thediplomat.com.
  9. Hui, Mary. "Vietnam's early coronavirus response reportedly included hackers who targeted China". Qz.com.
  10. Vavra, Shannon. "Vietnamese hacking group OceanLotus uses imitation news sites to spread malware". Cyberscoop.com. Cyberscoop. Retrieved 7 November 2020.
  11. Franceschi-Bicchierai, Lorenzo. "Vietnamese Hackers Ran 'Fake News' Websites To Target Visitors". Vice.com. Retrieved 7 November 2020.
  12. "Facebook tracks 'OceanLotus' hackers to IT firm in Vietnam". Reuters.com. 11 December 2020. Retrieved 15 December 2021.
  13. "Vietnamese activists targeted by notorious hacking group". Amnesty.org. Retrieved 2021-03-02.
  14. Coble, Sarah (2021-03-15). "OVH Data Center Fire Impacts Cyber-criminals". Infosecurity-magazine.com. Retrieved 2021-03-15.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.