Facebook unmasks Vietnam’s APT32 hacking group

The Facebook security team has revealed today the real identity of APT32, a Vietnam-backed hacking group active in cyberespionage campaigns targeting foreign government, multi-national corporations, and journalists since at least 2014.

The APT32 nation-state hackers were linked to Vietnamese IT firm CyberOne Group in a report published earlier today by Nathaniel Gleicher, Facebook’s Head of Security Policy, and Mike Dvilyanski, Cyber Threat Intelligence Manager.

“Our investigation linked this activity to CyberOne Group, an IT company in Vietnam (also known as CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet and Diacauso),” they said.

“As our industry partners have previously reported, APT32 has deployed a wide range of adversarial tactics across the internet. We have been tracking and taking action against this group for several years.”

After making the connection between the APT group and the Vietnamese IT firm, Facebook added all associated domains with the two entities to a global block list to prevent them from being shared on the social network.

Facebook also removed all accounts associated with the group from its platform and notified the individuals that may have been targeted by APT32.

APT32’s tactics, techniques, and procedures

The report also detailed some of the most important TTPs APT32 used throughout the years including social engineering, as well as using malicious Play Store Android apps and watering holes to compromise their targets’ devices and use them for “broad surveillance.”

APT32 operators have posed as businesses and activists on various online platforms and used these fake personas to evade detection even when scrutinized by security researchers.

“Some of their Pages were designed to lure particular followers for later phishing and malware targeting,” the report says.

APT32’s watering holes were used to deliver custom-tailored malware payloads capable of targeting specific platforms (i.e., Windows and macOS) and attacks directed at various individuals and organizations including:

  • Vietnamese human rights activists locally and abroad
  • Various foreign governments including those in Laos and Cambodia
  • Non-governmental organizations,
  • News agencies
  • Businesses from various industry sectors (e.g., information technology, hospitality, hospitals, retail, auto industry, and mobile services)

“The latest activity we investigated and disrupted has the hallmarks of a well-resourced and persistent operation focusing on many targets at once, while obfuscating their origin,” the two Facebook execs added.

“We shared our findings including YARA rules and malware signatures with our industry peers so they too can detect and stop this activity.”

APT32 campaigns and history

APT32 is a Vietnamese-backed advanced persistent threat group (also tracked as OceanLotus and SeaLotus) known to have targeted foreign companies investing in multiple Vietnam industry sectors.

The nation-state hackers are also known to have been behind attacks against a long list of research institutes from around the world, media organizations, various human rights orgs, as well as Chinese maritime construction firms. [1, 2, 3, 4, 5, 6, 7]

Last year, they also breached the networks of multiple Toyota and Lexus sales subsidiaries accessing the personal information of roughly 3.1 million Toyota customers, as well as the networks of BMW and Hyundai. 

They were also linked by threat intelligence and cyber-attack response services firm Crowdstrike to attacks against automotive targets in a report published in October 2019.

More recently, APT32 carried out spear-phishing attacks targeting China’s Ministry of Emergency Management and the government of Wuhan province attempting to harvest intelligence on the ongoing COVID-19 crisis.

NOTE:: This article  is copyright by bleepingcomputer.com and we are using it for educational or Information purpose only

The Best Anti Viruses of 2020 – 2021