Of the actors of cyber espionage, designated by FireEye as the name of APT32 (Group OceanLotus), are actively engaged in intrusions in private companies in multiple industries, and have also targeted governments, dissidents and journalists. FireEye believes that APT32 relies on a specific suite of malware with full functionality, in conjunction with other tools available on the market, in order to conduct operations targeting that are aligned with the national interests of Vietnam.
Boost your gains
APT32 target the activities of private sector companies in South East Asia
Since 2014 at least, FireEye has observed APT32 targeting foreign companies that have direct interests in the sectors of manufacturing industry, consumer goods and hospitality in Vietnam. In addition, there are indications that the actors of APT32 target companies specialised in the security of networks and it infrastructure, as well as consulting firms that can be linked with foreign investors.
Here are the details of the intrusions analyzed by FireEye that are assigned to APT32 since 2014 :
· In 2014, a european company that has been contested before the construction of a manufacturing plant in Vietnam.
· In 2016, vietnamese companies and foreign companies working in the areas of network security, it infrastructure, banking and media have been targeted.
· In the middle of the year 2016, a malware that FireEye thought to be specific to APT32 has been detected on the networks of a global player in the hospitality sector with plans to extend its operations in Vietnam.
· In 2016 and 2017, two subsidiaries of enterprises of consumer products in american and philippine operating in Vietnam, have been the target of intrusions by APT32.
· In 2017, APT32 attacked the offices of a multinational company of consulting.
The activities of APT32 in the field of politics and international relations
In addition to its activities in the direction of the private sector with ties to Vietnam, APT32 has also targeted foreign governments, as well as dissidents and vietnamese journalists since at least 2013. Below are the details of this activity :
· A blog public published by the Electronic Frontier Foundation said that journalists, activists, dissidents and bloggers have been targeted in 2013 by the malware and tactics related to the operations of APT32.
· In 2014, APT32 has operated an attachment to spear-phishing (spear phishing), entitled : “Plans to fight the protestors at the embassy of the Vietnam.exe,” which targeted the activities of dissidents in the vietnamese diaspora in South East Asia. Also in 2014, APT32 has conducted an intrusion in the Parliament of a western country.
· In 2015, SkyEye Labs, division of safety research of the chinese company Qihoo 360 has published a report detailing the actors of a threat targeting chinese organizations, public and private, including government agencies, research institutes, agencies and maritime companies of transport and shipbuilding. The information contained in this report indicated that the attackers were using the same malware, the same infrastructure and the same targets as those of APT32.
· In 2015 and 2016, two vietnamese media have been targeted with malware that FireEye believes to be specific to APT32.
· In 2017, the content of social engineering in the lures used by an actor has provided evidence that the attack was probably of the members of the vietnamese diaspora in Australia as well as government employees in the Philippines.
Tactics used by APT32
In its attacks, APT32 operated files ActiveMime, and the use of methods of social engineering to entice the victim to trigger macros. In running, the file downloads of multiple content malicious from remote servers. The actors of APT32 continue today to deliver content malicious via phishing emails.
The actors of APT32 have designed documents to lure in several languages tailored to victims ‘ specific. Even if these files have file extensions of ” .doc, “the lures of phishing recovered were web pages ActiveMime” .mht ” containing texts and images. These files were probably created by exporting Word documents in web page files.
The operators of APT32 have implemented several innovative techniques to track the effectiveness of their phishing attacks, control the distribution of their documents malicious and to establish mechanisms persistent to dynamically update the backdoors injected in the memory of the machines from their targets.
In order to keep track of who opened the phishing emails, to viewing the links and download attachments in real-time, APT32 used an email software analytics in the cloud used by commercial enterprises. In some cases, APT32 has abandoned completely the use of attachments per email to solely rely on this technique to follow-up with links to his decoys ActiveMime remotely-hosted on legitimate services, storage in the cloud.
To improve its visibility on the distribution of its lures to phishing, APT32 has used the native functionality of web page documents ActiveMime to connect to images hosted remotely in the infrastructure that he is in control.
Malware and Infrastructure APT32
APT32 seems to have development resources, scopes, and uses a suite of custom backdoors that covers multiple protocols. Operations APT32 are characterized by the deployment of malware for which signatures include WINDSHIELD, KOMPROGO, SOUNDBITE and PHOREAL. APT32 deploys often these backdoors in conjunction with the backdoor Cobalt Strike BEACON available on the market. APT32 also has the development capabilities of backdoors for macOS.
Prospects and Implications
On the basis of investigations in response to incidents, detections of the products, comments from analysts of intelligence, as well as complimentary publications, FireEye believes that APT32 is a group of cyber-espionage aligned with the interests of the government of Vietnam. The targeting of private interests by APT32 is notable and FireEye think that this actor represents a significant risk for companies doing business, or who are preparing to invest in the country. Although the motivation of each of the attacks APT32 against the private sector has varied, and in some cases could not be known, the unauthorized intrusion has been able to serve as a basis for judicial investigations, theft of intellectual property rights or anti-corruption measures that may ultimately erode the competitive advantages of the enterprises targeted. In addition, APT32 continues to threaten the political activism and freedom of opinion in South-East Asia and in public administrations in the world. Governments, journalists, and members of the vietnamese diaspora will be able to continue to serve as a target.
Although actors such as China, Iran, Russia and North Korea remain sources of threats to the cyber espionage are the most active that FireEye steps and processes, APT32 reflects a group in full development of new countries that have adopted this dynamic capability. APT32 demonstrates the impact that can have offensive capabilities if actors have the right investments and the flexibility needed to master the tools and techniques of new. A growing number of countries conducting cyber operations are effective and inexpensive, the awareness of the public about these threats and a renewed dialogue is needed about intrusions by nation-states that go beyond the targets of the public sector and intelligence.
Boost your gains