Ocean Lotus APT Group (APT32)

Download IoCs

Threat Actor ID

CountryVietnam
SponsorState-sponsored
First Seen2014
MotivationInformation theft and espionage
MethodsWatering Hole, Malware, Spearphishing
Other NamesAPT32 (Mandiant)Ocean Lotus (SkyEye Labs)

Ocean Buffalo (Crowd Strike)

Tin Woodlawn (SecureWorks)

Group’s Mission and Vision

The Ocean Lotus APT group is a hacker group operating against both private and government organizations and their opponents since 2014. The primary motivation behind the attacks carried out by the Ocean Lotus group is information theft and espionage – given the private information sought to be obtained in the attacks and the high-profile individuals targeted.

The targets of the Ocean Lotus group are generally foreign companies with sure success and interests in Vietnam’s hospitality, manufacturing, and consumer goods sectors. As well as the private sector, the Ocean Lotus group targets politicians and journalists opposed to the Vietnamese government.

Targeted Countries & Industries

The cyberespionage group Ocean Lotus, active since 2014, targets organizations in various industries in Vietnam and other Southeast Asian countries.

  • Indonesia,
  • Iran,
  • Japan,
  • Laos,
  • Malaysia,
  • Myanmar,
  • Nepal,
  • Netherlands,
  • Philippines,
  • Singapore,
  • South Korea,
  • Thailand,
  • UK,
  • USA,
  • Vietnam,
  • ASEAN,
  • Australia,
  • Bangladesh,
  • Brunei,
  • Cambodia,
  • China,
  • Denmark,
  • Germany,
  • India.

Figure 1: Targeted countries

 ocean lotus apt group apt32 Ocean Lotus targeted dissidents and journalists operating against Vietnam.

 ocean lotus apt group apt32Ocean Lotus attempted to steal trade secrets by breaching the network security of automotive manufacturers BMW and Hyundai.

ocean lotus apt group apt32 Ocean Lotus targeted the Chinese Ministry of Emergency Management and the Wuhan Municipal Government to obtain information on the COVID-19 pandemic.

ocean lotus apt group apt32 Ocean Lotus compromised the mod.gov[.]kh domain of the Cambodia Ministry of Defense in its Watering Hole campaign.

ocean lotus apt group apt32 Ocean Lotus used mobile malware to attack mobile devices and steal confidential personal information such as SMS, call logs, connections, geolocation, and browser logs

ocean lotus apt group apt32 Various security vendors have reported that the Ocean Lotus group also has targeted finance, hospitality, and product sales sectors.

Operations Performed by APT32

In 2016, Ocean Lotus was observed targeting a number of Vietnamese organizations with a watering hole attack. The group used a website that masqueraded as a site for Vietnamese students studying abroad. When visitors to the site attempted to register for an account, they were redirected to a malicious website that served malware. This malware allowed Ocean Lotus to gain control of the victim’s computer.

In 2017, Ocean Lotus carried out a campaign against Vietnam’s National Assembly. The group sent spear phishing emails containing a link to a fake website that mimicked the National Assembly’s intranet login page. Victims who attempted to log in had their credentials stolen by Ocean Lotus.

In 2018, Ocean Lotus launched a successful campaign against Vietnam’s Ministry of Foreign Affairs. The group sent spear phishing emails containing a link to a fake website that mimicked the Ministry of Foreign Affairs intranet login page. Victims who attempted to log in had their credentials stolen by Ocean Lotus.

In 2019, Ocean Lotus was observed targeting a number of Vietnamese organizations with watering hole attacks. The group used websites that masqueraded as sites for Vietnamese students studying abroad. When visitors to the sites attempted to register for an account, they were redirected to malicious websites that served malware. This malware allowed Ocean Lotus to gain control of the victim’s computer.

Ocean Lotus’ operations have continued into 2020. In February 2020, the group was observed targeting Vietnamese organizations with a phishing campaign. The group sent emails containing a link to a fake website that mimicked the login page for Google’s Gmail service. Victims who attempted to log in had their credentials stolen by Ocean Lotus.

Ocean Lotus has been active for over eight years and shows no signs of slowing down. The group is skilled in carrying out sophisticated attacks and is considered a serious threat to organizations in Vietnam and other Southeast Asian countries.

TTPs & Attack Lifecycle

The techniques, tactics, and procedures used by the Ocean Lotus group to violate the security of the target system in their attacks help define the threat group’s characteristics and determine the countermeasures that can be taken. In addition, the information below will be helpful for an overview of how a typical attack lifecycle is performed with the software used by Ocean Lotus and for what purposes the tools are used.

TacticTactic IDTechniqueTechnique ID
Initial AccessTA0001Drive-by CompromisePhishing

•Spearphishing Attachment

•Spearphishing Link

Valid Accounts

•Local Accounts

T1189T1566

T1566.001

T1566.002

T1078

T1078.003

ExecutionTA0002Command and Scripting Interpreter•JavaScript

•PowerShell

•Visual Basic

•Windows Command Shell

Exploitation for Client Execution

Scheduled Task/Job

•Scheduled Task

Software Deployment Tools

System Services

•Service Execution

•Malicious File

•Malicious Link

Windows Management Instrumentation

T1059T1059.007

T1059.001

T1059.005

T1059.003

T1203

T1053

T1053.005

T1072

T1569

T1569.002

T1204.002

T1204.001

T1047

PersistenceTA0003Boot or Logon Autostart Execution•Registry Run Keys / Startup Folder

Create or Modify System Process

•Windows Service

Hijack Execution Flow

•DLL Side-Loading

Office Application Startup

Server Software Component

•Web Shell

T1547T1547.001

T1543

T1543.003

T1574

T1574.002

T1137

T1505

T1505.003

Privilege EscalationTA0004Exploitation for Privilege EscalationProcess InjectionT1068T1055
Defense EvasionTA0005Hide Artifacts•Hidden Files and Directories

•Hidden Window

•NTFS File Attributes

Indicator Removal on Host

•Clear Windows Event Logs

•File Deletion

•Timestomp

Masquerading

•Masquerade Task or Service

•Match Legitimate Name or Location

•Rename System Utilities

Modify Registry

Obfuscated Files or Information

•Binary Padding

System Binary Proxy Execution

•Mshta

•Regsvr32

•Rundll32

System Script Proxy Execution

•PubPrn

Use Alternate Authentication Material

•Pass the Hash

•Pass the Ticket

T1564T1564.001

T1564.003

T1564.004

T1070

T1070.001

T1070.004

T1070.006

T1036

T1036.004

T1036.005

T1036.003

T1112

T1027

T1027.001

T1218

T1218.005

T1218.010

T1218.011

T1216

T1216.001

T1550

T1550.002

T1550.003

Credential AccessTA0006Input Capture•Keylogging

OS Credential Dumping

•LSASS Memory

Unsecured Credentials

•Credentials in Registry

T1056T1056.001

T1003

T1003.001

T1552

T1552.002

DiscoveryTA0007Account Discovery•Local Account

File and Directory Discovery

Network Service Discovery

Network Share Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

System Owner/User Discovery

T1087T1087.001

T1083

T1046

T1135

T1012

T1018

T1082

T1016

T1049

T1033

TacticTactic IDTechniqueTechnique ID
Lateral MovementTA0008Lateral Tool TransferRemote Services

•SMB/Windows Admin Shares

Software Deployment Tools

T1570T1021

T1021.002

T1072

CollectionTA0009Archive Collected DataT1560
Command and ControlTA0011Application Layer Protocol•Mail Protocols

•Web Protocols

Ingress Tool Transfer

Non-Standard Port

Web Service

T1071T1071.003

T1071.001

T1105

T1571

T1102

ExfiltrationTA0010Exfiltration Over Alternative Protocol•Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over C2 Channel

T1048T1048.003

T1041

Figure 2: Attack Lifecycle Ocean Lotus / APT32

Recommendations & Mitigations

We have listed the steps to be taken in order to be protected from the threat and/or to minimize the possible damage according to the identified techniques, tactics, and procedures of the Ocean Lotus APT group.

Recommendations for Ocean Lotus APT Group

  • Use strong passwords and multi-factor authentication
  • Keep your software up to date
  • Install a reputable security suite
  • Be cautious when opening email attachments
  • Don’t click on links in emails from unknown senders
  • Avoid downloading pirated software or visiting illegal websites

Mitigations for Ocean Lotus APT Group

  • Use strong passwords and multi-factor authentication: This will help to protect your accounts from being compromised by password guessing or brute force attacks. Multi-factor authentication adds an extra layer of security by requiring another form of verification, such as a code sent to your mobile phone, in addition to your password.
  • Keep your software up to date: Outdated software can contain security vulnerabilities that can be exploited by attackers. By ensuring that your software is up to date, you can help to close these potential entry points.
  • Install a reputable security suite: A good security suite can provide protection against a wide range of threats, including viruses, malware, and phishing attacks.
  • Be cautious when opening email attachments: Email attachments may contain malicious code that can infect your computer. Before opening an attachment, make sure that you trust the sender and that you have scanned the attachment for viruses using reliable antivirus software.
  • Don’t click on links in emails from unknown senders: Emails from unknown or untrustworthy sources may contain malicious code/attachments.

Conclusion

Ocean Lotus is well-resourced and executes its attacks with precision and care. The group uses a variety of custom tools, which suggests a high level of technical capability. Additionally, the group appears to have significant financial resources, as evidenced by its use of 0-day exploits and ability to mount long-term operations.