In a surprising report from Facebook’s security team, they revealed that they believe the identity of APT32, also known as OceanLotus, is the cybersecurity firm CyberOne Group. OceanLotus, a threat group believed to do work on behalf of the government of Vietnam, has been around since 2014 and has carried out attacks from espionage to cryptocurrency scams. The group carried out a wide-spread campaign in 2019 that targeted automakers around the world. The groups also targeted Wuhan, China in an intelligence-gathering attack at the beginning of the COVID-19 pandemic. According to Facebook, the group would create falsified Facebook accounts pretending to be activists or companies and use their accounts to lure victims by sharing links to domains that they controlled. The links typically lead to phishing websites or malware. Some of the attacks tricked targeted people into downloading Android malware that the OceanLotus group managed to upload to the Google Play store. Facebook took down the accounts and blocked the known domains to prevent the group from using them in the future.
Analyst Notes
Facebook shared YARA rules and malware signatures to help defenders identify if anyone within their network has been affected by these attacks. It is not often that cyber-security companies or teams publicly link APT groups to their real life identities. This attribution from Facebook will likely result in some blowback from the cyber-security community because of the lack of evidence that was provided at the time of writing this article. CyberOne did not respond when contacted. Attacks through social media are common because many users of the platforms use them for leisure, and security is not their top priority when on them. Often, social media messages cannot be scanned by anti-virus, nor are they inspected by corporate security scanning software, making it harder to identify malicious links when sent through messages. Anytime someone receives a link from an unknown person, especially if it leads to a login page, a software download or a mobile app, they should be skeptical when opening it.
More can be read here: https://www.zdnet.com/article/facebook-doxes-apt32-links-vietnams-primary-hacking-group-to-local-it-firm/
IOC’s and YARA Rules: https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/
