APT32 state hackers target human rights defenders with spyware

Vietnam-linked APT32 group targeted Vietnamese human rights defenders (HRDs) between February 2018 and November 2020.

Vietnam-linked APT32 (aka Ocean Lotus) group has conducted a cyberespionage campaign targeting Vietnamese human rights defenders (HRDs) and a nonprofit (NPO) human rights organization from Vietnam between February 2018 and November 2020.

The threat actors used by spyware to take over the target systems, spy on the victims, and exfiltrate data.

“Amnesty Tech’s Security Lab found technical evidence in phishing emails sent to two prominent Vietnamese human rights defenders, one of whom lives in Germany, and a Vietnamese NGO based in the Philippines, showing that Ocean Lotus is responsible for the attacks between 2018 and November 2020.” reads the post published by Amnesty International.

The APT32 group has been active since at least 2012, it has targeted organizations across multiple industries and foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 also targeted peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

“These latest attacks by Ocean Lotus highlight the repression Vietnamese activists at home and abroad face for standing up for human rights,” said Amnesty Tech researcher Likhita Banerji. “This unlawful surveillance violates the right to privacy and stifles freedom of expression.”

“The Vietnamese government must carry out an independent investigation. Any refusal to do so will only increase suspicions that the government is complicit in the Ocean Lotus attacks.”

The attack chain begins with spear-phishing messages that include a link to an alleged important document to download. The link points to files containing spyware that could infect both Mac OS or Windows systems.

The Windows spyware employed in this campaign is a variant of malware tracked as Kerrdown that was exclusively used by the Ocean Lotus group in the past. Kerrdown downloads and installs additional spyware from a server on the victim’s system, then it opens a decoy document.

The attackers used the Cobalt Strike post-exploitation toolkit to access the compromised system.

“Although Amnesty International was unable to independently verify any direct connection between Ocean Lotus and CyberOne or with the Vietnamese authorities, the attacks described in this investigation confirm a pattern of targeting Vietnamese individuals and organizations,” Amnesty International concludes. “Online expression in Viet Nam is increasingly being criminalized as part of a wider crackdown on critical voices. Activists are jailed, harassed, attacked, and censored into silence on the basis on vague and overbroad laws that do not comply with international human rights standards.”

The full report is available here.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT32)

[adrotate banner=”5″]

[adrotate banner=”13″]