This hacking group with suspected ties to the Vietnamese government is wreaking havoc

A hacking group with suspected ties to the Vietnamese government, known as APT32 or OceanLotus, has been actively conducting cyber-espionage missions against valuable corporations, foreign governments, dissidents and domestic journalists since at least 2014, according to new research conducted by cybersecurity firm FireEye.

“We have known them to target governments and citizens, but the targeting of global corporations — and the pace at which APT32 adapted — was unexpected,” said FireEye analyst Nick Carr. “Frankly, their capabilities surprised us.”

FireEye was able to confirm that at least 12 private sector organizations were targeted by APT32, which is known to send well-crafted phishing emails with booby-trapped Microsoft Word attachments. Most of the assets initially compromised are geographically located in southeast Asia, Carr said.

The findings underscore how developing nations are increasingly investing resources to cultivate their own hacking capabilities to effectively collect intelligence on both economic and political targets.

By leveraging a unique suite of hacking tools designed to attack popular operating systems, APT32 has been able to successfully breach organizations based in Germany, China, United States and The Philippines, experts say.

FireEye believes the group is likely linked to the Vietnamese government because of the hackers’ tendency to target specific businesses, organizations and individuals that are all similarly relevant to Vietnam’s concurrent geopolitical interests.

Over the last several years, APT32 has targeted companies involved in network security, manufacturing, media, banking, hospitality, technology infrastructure and consulting. Material stolen by the group includes trade secrets, logs of confidential conversations and scheduling plans.

“APT32 should serve as a reminder that economic espionage is still a real threat to multinationals, and potentially in nearly any foreign country you enter,” Carr told CyberScoop. “I think people should be aware of these risks — but there are no digital safe-havens. It’s not like there is a better place to go or do business to be safe.”

The Milpitas, Calif.-based cybersecurity giant was able to obtain data concerning APT32’s past operations by collecting forensic evidence left on a network of proprietary internet sensors, in addition to information stored on systems belonging to clients.

“Despite the difficulties of getting network monitoring technology into the country through customs, we have lots of other flexible tech we can use: virtual network traffic and log aggregators as well as the kicker: our host investigative platform (HIP),” Carr said. “We use this for real-time attacker activity.”

Vietnamese government officials have already called the findings of FireEye’s report “groundless.”

Intelligence analysts at FireEye were surprised to see APT32 using such advanced hacking techniques — including a class of capabilities that are typically reserved for nation states — to remain hidden while attacking high-profile organizations.

“They implemented some cool techniques in all phases of the intrusions … these guys were impressive,” Carr said.

APT32 typically conducts covert cyber-espionage by using phishing emails to dynamically inject malware into a host computer, where in most cases the virus hides in-memory only and is updated regularly.

The elite hacking group has been observed leveraging publicly disclosed software vulnerabilities to design malware that specifically targets older versions of popular operating systems. In addition, it appears as if APT32 in at least one case used an open-source tool to destroy forensic evidence left behind on a victim’s computer.

“The impressive APT32 operations did not stop after they established a foothold in victim environments. Several Mandiant investigations revealed that, after gaining access, APT32 regularly cleared select event log entries and heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon’s Invoke-Obfuscation framework,” a blog post published Sunday by FireEye reads.