APT32 Hacker Group Behind Wuhan Cyberattack Has Links to Vietnam IT Firm, Claims Facebook

The infamous APT32, also known as OceanLotus, is allegedly backed by the Vietnam government and has been tracked to a local IT firm.

For every large-scale cyberattack in the last few years, cybersecurity experts and the western intelligence community have accused either Russia, China, Iran or North Korea. Those four nations have been designated enemy states of the U.S. and hence are regularly named by cybersecurity researchers. But now, Facebook says it has been able to detect the identity of a cyberespionage group from Vietnam.

Named APT32, also known as Cobalt and OceanGroup, the group is known for targeting companies, journalists, human rights activists, news agencies and political dissidents in Vietnam and abroad. The group is believed to be backed by the Vietnamese government due to the nature of the attacks.

Facebook said that Vietnam's local IT firm CyberOne Group, also known as CyberOne Security, was actually behind APT32. "Our investigation linked this activity to CyberOne Group, an IT company in Vietnam (also known as CyberOne Security, CyberOne Technologies, Hanh Tinh Company Limited, Planet and Diacauso)," Facebook said in a blog post.

Cyber attack
Facebook has linked the APT32 hacker group's identity to an IT firm in Vietnam (representational image) Pixabay

Abuse of Facebook's Platform

Facebook's cybersecurity researchers said that APT32 hackers had been abusing the social media platform to target the victims. The hacker's group created fake accounts on Facebook, posing as businesses or activists. The group would befriend the targets and send them links containing malware to steal sensitive information or spy on them. The hackers also used romantic lures as per Facebook.

Furthermore, the group also managed to evade Google's malware detection on the Play Store by uploading apps, imitating legitimate utility apps, laced with malware. The APT32 hackers then share the links to the app on Facebook with the targets to spy on them.

"These efforts often involved creating backstops for these fake personas and fake organizations on other internet services so they appear more legitimate and can withstand scrutiny, including by security researchers. Some of their Pages were designed to lure particular followers for later phishing and malware targeting," Facebook said.

Facebook has taken down the group's accounts and pages on the platform while also blocking the domains to prevent it from reusing again in the future. Apart from that, the tech giant has shared the YARA rules and malware signature to help identify and classify the malware on other social media platforms.

CyberOne company's Facebook page has been taken down for allegedly using the platform to target victims Facebook/ Wayback Machine

Long History of Cyberattacks

Although APT32 is not as popular as the groups from China and Russia, it has long been associated with different cyber crimes but has never been identified. Recently, it came to the spotlight for targeting local health authorities and government officials in Wuhan, China where the novel Coronavirus first emerged. The target of the attacks in April 2020 was to get information about COVID-19 disease, reported ZDNet.

Among the group's targets were politicians and government agencies of neighboring countries like Laos, Cambodia and the Philippines. It also stole data from prominent carmakers like BMW, Toyota and Hyundai last year within a short span of time, reported. Furthermore, the group has shown versatility in adapting to new techniques. The group uses social engineering attacks, drive-by downloads, custom malware for Windows, malware for macOS, besides exploiting well-known bugs in open-source tools to target its victims.

All of its targets and adaptability to new techniques are examples of a persistent threat group that is resourceful. Such attributes are only found in sophisticated hacker groups from China, Russia, North Korea and Iran. However, the Vietnamese government previously denied any links with the group while the CyberOne Group which has an office in Ho Chi Minh City in Vietnam also rejected the allegations. "We are NOT Ocean Lotus. It's a mistake," an individual who handled the company's now-defunct Facebook page told Reuters.

CyberOne Group with an official address at Ho Chi Minh City has been accused of being the front for CyberLotus or APT32 group Wayback Machine

Facebook vs Vietnam

This is the first time that a company other than the U.S. Department of Justice and prominent cybersecurity firms like FireEye has documented and identified a hacker's group, linking it to the government. One reason could be the stand-off between Facebook and the Vietnam Government.

The country's communist government has pressurized Mark Zuckerberg's company to censor anti-state content on its platform. The county's lawmakers have even threatened to ban the platform if Facebook didn't comply with the requests. Facebook initially refused and as a result, the servers in the country were taken offline and eventually had to comply.

Related topics : Facebook Cybersecurity Mark zuckerberg