Facebook says hackers backed by Vietnam’s government are linked to IT firm
Group is known for its robust, custom-made malware. IT firm says the link is a mistake.
Facebook said it has linked an advanced hacking group widely believed to be sponsored by the government of Vietnam to what’s purported to be a legitimate IT company in that country.
The so-called advanced persistent threat group goes under the monikers APT32 and OceanLotus. It has been operating since at least 2014 and targets private sector companies in a range of industries along with foreign governments, dissidents, and journalists in South Asia and elsewhere. It uses a variety of tactics, including phishing, to infect targets with fully featured desktop and mobile malware that’s developed from scratch. To win targets’ confidence, the group goes to great lengths to create websites and online personas that masquerade as legitimate people and organizations.
Earlier this year, researchers uncovered at least eight unusually sophisticated Android apps hosted in Google Play that were linked to the hacking group. Many of them had been there since at least 2018. OceanLotus repeatedly bypassed Google’s app-vetting process, in part by submitting benign versions of the apps and later updating them to add backdoors and other malicious functionality.
FireEye published this detailed report on OceanLotus in 2017, and BlackBerry has more recent information here.
On Thursday, Facebook identified Vietnamese IT firm CyberOne Group as being linked to OceanLotus. The group lists an address in Ho Chi Minh city.
Email sent to the company seeking comment returned an error message that said the email server was misconfigured. A report from Reuters on Friday, however, quoted a person operating the company’s now-suspended Facebook page as saying: “We are NOT Ocean Lotus. It’s a mistake.”
At the time this post went live, the company’s website was also unreachable. An archive of it from earlier on Friday is here.
A recent investigation, Facebook said, uncovered a variety of notable tactics, techniques and procedures including :
- Social engineering: APT32 created fictitious personas across the Internet posing as activists and business entities or used romantic lures when contacting people they targeted. These efforts often involved creating backstops for these fake personas and fake organizations on other Internet services so they appear more legitimate and can withstand scrutiny, including by security researchers. Some of their Pages were designed to lure particular followers for later phishing and malware targeting.
- Malicious Play Store apps: In addition to using Pages, APT32 lured targets to download Android applications through Google Play Store that had a wide range of permissions to allow broad surveillance of people’s devices.
- Malware propagation: APT32 compromised websites and created their own to include obfuscated malicious javascript as part of their watering hole attack to track targets’ browser information. A watering hole attack is when hackers infect websites frequently visited by intended targets to compromise their devices. As part of this, the group built custom malware capable of detecting the type of operating system a target uses (Windows or Mac) before sending a tailored payload that executes the malicious code. Consistent with this group’s past activity, APT32 also used links to file-sharing services where they hosted malicious files for targets to click and download. Most recently, they used shortened links to deliver malware. Finally, the group relied on Dynamic-Link Library (DLL) side-loading attacks in Microsoft Windows applications. They developed malicious files in exe, rar, rtf and iso formats, and delivered benign Word documents containing malicious links in text.
By Dan Goodin – Ars Technica – December 12, 2020
Articles similaires / Related posts:
- Vietnam drafts decree to enforce cybersecurity law on foreign advertising services Digital advertising services offered by online platforms with a Vietnamese user base and revenue earned in the Vietnamese market will be subject to tax liability and Vietnam’s Law on Cybersecurity, according to a new draft decree....
- Cybersecurity in Vietnam has anything changed ? Since adoption of the Law on Cybersecurity in 2018, there has been an ongoing conversation opposing the strict regulatory environment that the Law creates. Strict enforcement, it is said, would disrupt the continuous flow of data so important to commercial development....
- Vietnam to tighten grip on social media livestream activity Vietnam’s government is seeking to increase scrutiny of livestream content on social media such as Facebook and Google, in its latest move to rein in online activities it deems to be anti-state....
- Bittersweet : Vietnam’s mixed progress on E-Government during COVID-19 Despite notable progress in providing digital services, there are still major challenges in accessing these tools in practice....
- Vietnam to restrict which social media accounts can post news With the rising tide of fake news on social media platforms, the debate over how much control a government should have on online information is a perennial one. In Vietnam, the government is intensifying its control over the internet regime....