Vietnam hacking group

Researchers Identify New Malware Campaigns Linked to Vietnamese Hacking Group

When it comes to state-sponsored hacking groups, big players such as China and Russia tend to get the most attention. But smaller nations are also continuously expanding their capabilities in cyberspace, often with regional goals in mind.

Two studies published in recent days have shown that one of these groups—the Vietnamese state-sponsored threat group APT32, also known as OceanLotus—has expanded its efforts by targeting the country’s Southeast Asian neighbors with malware campaigns.

A new malware campaign using an Association of Southeast Asian Nations-themed spearphishing attack has been targeting the Cambodian government, according to a report published Tuesday by Recorded Future. The campaign, which was attributed to OceanLotus through network traffic analysis and other methods, included military-related documents written in Khmer that contained a mix of legitimate executables and malicious files. Some of those files and indicators were also seen in a second sample uploaded to a malware repository in late October that referenced an ASEAN meeting.

Vietnam has had a shaky relationship with Cambodia for decades, and it has continued to sour in recent years as Cambodia strengthens its political and economic ties with China.

“APT32 focuses on regional campaigns that suit their state objectives,” said Charity Wright, the author of the report. “However, they have been attributed to corporate espionage campaigns in the past. Last year they were attributed to a campaign that targeted the automotive sector around the world.”

In a separate report published last week, researchers at Volexity said that APT32 was behind a series of fake news websites and social media pages that targeted victims with malware.

Some of the fake websites cover general news written in Vietnamese, but others—with names like “kmernews” and “laostimenews”—are written for Cambodian, Laotian, Malaysian, and Philippino audiences. Most of the sites have unique themes and layouts to make it appear that they’re not related to each other, according to the report.

Researchers said that individuals are likely targeted through these websites in two ways: by identifying users who visit the websites through profiling frameworks that exist on many of the pages, and by targeting victims who are sent links to news stories containing malware.

“OceanLotus has continued to evolve the ways in which it seeks to target individuals outside of spear phishing and leveraging compromised websites,” Volexity researchers wrote in a blog post. “The creation and maintenance of several websites, for the purpose of creating a larger online presence in which the attack chain against visitors can be fully controlled, is not an attack method commonly identified. This level of effort shows that OceanLotus will go to great lengths to extend its reach and find new ways to compromise individuals and organizations it has set its focus on.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Adam Janofsky

Adam Janofsky

is the founding editor-in-chief of The Record from Recorded Future News. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.