Ocean Lotus Threat Actors Project by John Sitima 2024
Ocean Lotus Threat Actors Project by John Sitima 2024
Ocean Lotus Threat Actors Project by John Sitima 2024
OCEAN LOTUS
CYBER-THREAT ACTORS
Completed
by
John Sitima
In partial fulfilment of
Cybersecurity for Everyone
(C) 2024
[email protected]
Cybersecurity.
Cybersecurity refers to the
practice of protecting internet-
connected systems, including
hardware, software, and data,
from attack, damage, or
unauthorized access
Threat actors
These are individuals or groups
who purposefully harm digital
devices or systems.
1
Ocean Lotus
OceanLotus, also recognized as APT32, is a threat actor that emerged from
Vietnam in 2014. This group has focused on various sectors such as
manufacturing, network security, technology infrastructure, banking, media, and
consumer products.
2
capability and tactics used by ocean lotus cyber threat actors
The APT32 group has been known to employ a wide range of attack vectors and tools
to compromise its targets. These include spear-phishing emails, watering hole attacks,
social engineering techniques, and the use of custom malware. The group has been
observed using various malware families, such as Cobalt Strike, PlugX, and
PowerShell-based backdoors, to establish persistence on compromised systems and
exfiltrate sensitive data.
The group has been linked to cyber attacks targeting dissidents and human rights
activists, indicating a broader agenda that includes monitoring and suppressing internal
dissent (amnesty 2021).
3
Motivations of the Ocean Lotus
The motivations of the OCEANLOTUS threat actor are believed to be primarily related
to espionage and intelligence gathering. They have been known to target government
agencies, defense contractors, and. technology companies to steal sensitive
information that could be used for strategic or financial gain.
The targets of the Ocean Lotus group are generally foreign companies with sure success
and interests in Vietnam’s hospitality, manufacturing, and consumer goods sectors. As
well as the private sector, the Ocean Lotus group targets politicians and journalists
opposed to the Vietnamese government. (Brandefense 2022)
4
Ocean Lotus Geo-Political context
The cyberespionage group Ocean Lotus, active since 2014, targets organizations
in various industries in Vietnam and other Southeast Asian countries.
The group has been known to employ a wide range of attack vectors and tools to
compromise its targets. These include spear-phishing emails, watering hole attacks,
social engineering techniques, and the use of custom malware.
The group has been observed using various malware families, such as Cobalt Strike,
PlugX, and PowerShell-based backdoors, to establish persistence on compromised
systems and exfiltrate sensitive data for ransom and corporate espionage.
5
THE HACKING PROCESS
THE HACKING PROCESS
The Ocean Lotus Group has utilised these steps in exploiting their numerous
targeted victims. 6
Tactics used by Ocean lotus actors on their targets.
3. Social Engineering:
Ocean Lotus actors rely heavily on social engineering techniques to gather
information about their targets and gain their trust.
7
...Tactics used by Ocea lotus actors on their targets.(Continued)
4. Malware Deployment:
The group has been linked to the use of various custom-made malware families,
including Cobalt Strike, PlugX, and PowerShell-based backdoors.These malware
are designed to establish persistent access, exfiltrate data, and conduct further
reconnaissance on the compromised systems.
5. Exploitation of Vulnerabilities:
Ocean Lotus actors actively seek out and exploit vulnerabilities in popular
software, operating systems, and web applications to gain initial access to their
targets. They often leverage zero-day vulnerabilities to bypass security measures
and maintain a stealthy presence on the compromised systems.
8
...Tactics used by Ocea lotus actors on their targets.(Continued)
7. Data Exfiltration:
The ultimate goal of Ocean Lotus's operations is to gather intelligence and
exfiltrate sensitive data from their targets.
The group has been observed using various techniques, such as encrypted data
transfers, to siphon off valuable information without raising suspicion.
9
Cases studies of cyber attacks by Ocean Lotus Group and their
effects over the years.
Case 1: In 2017,
Ocean Lotus carried out a campaign against Vietnam's National Assembly. The
group sent spear phishing emails containing a link to a fake website that mimicked
the National Assembly's intranet login page. Victims who attempted to log in had
their credentials stolen by Ocean Lotus.
The Effects:
Primary effects:-
Defacement of website happened. The threat actors got credentials of the
Vietnam’s National Assembly members via the intranet. This target made the
intranet to be inoperable for some time.
Secondary effects:-
The attack disrupted the functioning of the intranet resulting in secondary effects
of ineffective functioning of the Vietnam’s National Assembly) in their
Government duties.
Operation Cobalt Kitty, Ocean Lotus group targeted global corporations based in
Asia with the goal of stealing proprietary business information. The threat actor
targeted the company’s top-level management by using spear-phishing attacks as
the initial penetration vector.
Secondary effects:-
The attack disrupted the functioning of the the companies resulting in secondary
effects of loss of revenue and income.
11
Cases studies of cyber attacks by Ocean Lotus Group and their effects
over the years... Continued
Operation Cobalt Kitty, Ocean Lotus group targeted global corporations based in
Asia with the goal of stealing proprietary business information. The threat actor
targeted the company’s top-level management by using spear-phishing attacks as
the initial penetration vector.
Secondary effects:-
The attack disrupted the functioning of the the companies resulting in secondary
effects of loss of revenue and income.
The OceanLotus used spear-phishing and malware fit modus operandi to target China's
Ministry of Emergency Management and the Wuhan municipal government in order to
obtain information about the COVID-19 pandemic. The
Vietnamese Ministry of Foreign Affairs denied the accusations.
The Effects: Primary effects:-
The attack directly compromised workstations and file servers, Web application server
and database server used in the collecting an collating of Covid-19 data making them
inoperable for a time.
Secondary effects:-
The attack disrupted the real-time transmission of Covid-19 stats and data to numerous
stakeholders who needed it for decision making.
2. Politically Motivated:
The primary objective of Ocean Lotus appears to be cyber espionage, with a focus on
gathering intelligence for political, economic, and strategic purposes.
The group's targets have primarily included government organizations, foreign
corporations, dissidents, and other entities of interest to the Vietnamese government,
suggesting a state-sponsored or state-aligned nature.
14
Characteristi cs of Oceanlotus cyber threat actors....Continued.
4. Operationally Sophisticated:
The Ocean Lotus actors have exhibited a high level of operational security, employing
advanced obfuscation techniques, utilizing legitimate network protocols for command-
and-control, and maintaining a low profile to avoid detection.
Their ability to conduct successful spear-phishing campaigns, watering hole attacks,
and lateral movement within compromised networks underscores their operational
sophistication.
5. Geographically Focused:
The group's activities have primarily targeted organizations and individuals in Southeast
Asian countries, particularly Vietnam, Laos, Cambodia, and the Philippines.
This regional focus suggests a strong alignment with the interests and objectives of the
Vietnamese government or state-affiliated entities. (Source: Bloomberg.com 2021)
6. Potentially State-Sponsored:
While definitive attribution is challenging in the cyber domain, various cybersecurity
firms and government agencies have attributed the Ocean Lotus activities to threat
actors originating from Vietnam.
The group's consistent focus on intelligence gathering and the alignment of its targets
with Vietnamese interests suggest potential state sponsorship or support.(Source:
Bloomberg.com 2021)
15
Oceanlotus cyber threat actors, a private problem for business or a public
concern for Policy maker?
16
Possible responses by Policy makers to Oceanlotus cyber threat actors,
Conclusion
Overall, the Ocean Lotus cyber threat actors represent a sophisticated, persistent,
and politically motivated group that poses a significant risk to organizations and
individuals in the Southeast Asian region. Their continuous evolution and
adaptability underscore the need for robust cybersecurity measures and
international cooperation to identify and mitigate the threats posed by such
advanced persistent threat groups.
17
REFERENCES
1.https://cdn.amnesty.at/media/11606/amnesty-report_caught-in-the-net_the-global-thre
at-from-eu-regulated-spyware_oktober-2023.pdf
(accessed on 07/03/2024)
2.
https://css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/
pdfs/Cyber-Reports-2018-05.pdf
3. https://www.cybereason.com/blog/operation-cobalt-kitty-apt (accessed on
01/06/2024)
4. https://www.cfr.org/cyber-operations/export-incidents (accessed on05/04/2024)
5.
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-r
etrospect/yir-cyber-threats-report-download.pdf
(accessed on 11/04/2024)
6.
https://ics-cert.kaspersky.com/publications/reports/2020/04/24/threat-landscape-for-indust
rial-automation-systems-apt-attacks-on-industrial-companies-in-2019/
accessed
7. on (11/04/2024)
https://www.bloomberg.com/news/articles/2020-04-23/vietnamese-hackers-
targeted-china-officials-at-heart-of-outbreak(accessed on 03/06/2024)
8. https://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/#:~(accessed on
13/04/2024)
9.
https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/G
aining_the_Advantage_Cyber_Kill_Chain.pdf 18