Facebook links cyberespionage group APT32 to Vietnamese IT firm

Facebook has suspended some accounts linked to APT32 that were involved in cyber espionage campaigns to spread malware.

Facebook has suspended several accounts linked to the APT32 cyberespionage that abused the platform to spread malware.

Vietnam-linked APT group APT32, also known as OceanLotus and APT-C-00, carried out cyber espionage campaigns against Chinese entities to gather intelligence on the COVID-19 crisis.

The APT32 group has been active since at least 2012, it has targeted organizations across multiple industries and foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed the APT32 group targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 also targeted peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

Now the Facebook security team has revealed the real identity of APT32, linking the group to an IT company in Vietnam named CyberOne Group. 

“APT32, an advanced persistent threat actor based in Vietnam, targeted Vietnamese human rights activists locally and abroad, various foreign governments including those in Laos and Cambodia, non-governmental organizations, news agencies and a number of businesses across information technology, hospitality, agriculture and commodities, hospitals, retail, the auto industry, and mobile services with malware.” said Nathaniel Gleicher, Head of Security Policy at Facebook, and Mike Dvilyanski, Cyber Threat Intelligence Manager. “Our investigation linked this activity to CyberOne Group, an IT company in Vietnam (also known as CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet and Diacauso).

APT32 created and operated a network of Facebook accounts and pages associated with fake people posing as activists or business entities.

The campaign orchestrated by the APT32 targeted Vietnamese human rights activists locally and abroad, foreign governments, including those in Laos and Cambodia, non-governmental organizations, news agencies, and, businesses across information technology, hospitality, agriculture and commodities, hospitals, retail, the auto industry, and mobile services.

Threat actors were contacting people of interest with romantic lures, they set up pages that were specifically designed to target followers with malware and phishing attacks.

Hackers also shared links to malicious Android apps that were uploaded to the official Google Play Store.

APT32 also carried out watering hole attacks through compromised websites or their own sites. The cyberespionage group employed custom malware designed to compromise the target machines with tailored payloads.

The social network giant also shared information about the cyber group, including YARA rules and malware signatures, with industry partners to allow them to detect and stop this activity. The company also blocked the domains used by the group.

“The latest activity we investigated and disrupted has the hallmarks of a well-resourced and persistent operation focusing on many targets at once, while obfuscating their origin. We shared our findings including YARA rules and malware signatures with our industry peers so they too can detect and stop this activity.” concludes the report.”To disrupt this operation, we blocked associated domains from being posted on our platform, removed the group’s accounts and notified people who we believe were targeted by APT32.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)

[adrotate banner=”5″]

[adrotate banner=”13″]