Table of Contents
Threat Actor ID
|Motivation||Information theft and espionage|
|Methods||Watering Hole, Malware, Spearphishing|
|Other Names||APT32 (Mandiant)
Ocean Lotus (SkyEye Labs)
Ocean Buffalo (Crowd Strike)
Tin Woodlawn (SecureWorks)
Group’s Mission and Vision
The Ocean Lotus APT group is a hacker group operating against both private and government organizations and their opponents since 2014. The primary motivation behind the attacks carried out by the Ocean Lotus group is information theft and espionage – given the private information sought to be obtained in the attacks and the high-profile individuals targeted.
The targets of the Ocean Lotus group are generally foreign companies with sure success and interests in Vietnam’s hospitality, manufacturing, and consumer goods sectors. As well as the private sector, the Ocean Lotus group targets politicians and journalists opposed to the Vietnamese government.
Targeted Countries & Industries
The cyberespionage group Ocean Lotus, active since 2014, targets organizations in various industries in Vietnam and other Southeast Asian countries.
- South Korea,
Ocean Lotus targeted dissidents and journalists operating against Vietnam.
Ocean Lotus attempted to steal trade secrets by breaching the network security of automotive manufacturers BMW and Hyundai.
Ocean Lotus targeted the Chinese Ministry of Emergency Management and the Wuhan Municipal Government to obtain information on the COVID-19 pandemic.
Ocean Lotus compromised the mod.gov[.]kh domain of the Cambodia Ministry of Defense in its Watering Hole campaign.
Ocean Lotus used mobile malware to attack mobile devices and steal confidential personal information such as SMS, call logs, connections, geolocation, and browser logs
Various security vendors have reported that the Ocean Lotus group also has targeted finance, hospitality, and product sales sectors.
Operations Performed by APT32
In 2016, Ocean Lotus was observed targeting a number of Vietnamese organizations with a watering hole attack. The group used a website that masqueraded as a site for Vietnamese students studying abroad. When visitors to the site attempted to register for an account, they were redirected to a malicious website that served malware. This malware allowed Ocean Lotus to gain control of the victim’s computer.
In 2017, Ocean Lotus carried out a campaign against Vietnam’s National Assembly. The group sent spear phishing emails containing a link to a fake website that mimicked the National Assembly’s intranet login page. Victims who attempted to log in had their credentials stolen by Ocean Lotus.
In 2018, Ocean Lotus launched a successful campaign against Vietnam’s Ministry of Foreign Affairs. The group sent spear phishing emails containing a link to a fake website that mimicked the Ministry of Foreign Affairs intranet login page. Victims who attempted to log in had their credentials stolen by Ocean Lotus.
In 2019, Ocean Lotus was observed targeting a number of Vietnamese organizations with watering hole attacks. The group used websites that masqueraded as sites for Vietnamese students studying abroad. When visitors to the sites attempted to register for an account, they were redirected to malicious websites that served malware. This malware allowed Ocean Lotus to gain control of the victim’s computer.
Ocean Lotus’ operations have continued into 2020. In February 2020, the group was observed targeting Vietnamese organizations with a phishing campaign. The group sent emails containing a link to a fake website that mimicked the login page for Google’s Gmail service. Victims who attempted to log in had their credentials stolen by Ocean Lotus.
Ocean Lotus has been active for over eight years and shows no signs of slowing down. The group is skilled in carrying out sophisticated attacks and is considered a serious threat to organizations in Vietnam and other Southeast Asian countries.
TTPs & Attack Lifecycle
The techniques, tactics, and procedures used by the Ocean Lotus group to violate the security of the target system in their attacks help define the threat group’s characteristics and determine the countermeasures that can be taken. In addition, the information below will be helpful for an overview of how a typical attack lifecycle is performed with the software used by Ocean Lotus and for what purposes the tools are used.
|Tactic||Tactic ID||Technique||Technique ID|
|Initial Access||TA0001||Drive-by Compromise
|Execution||TA0002||Command and Scripting Interpreter
•Windows Command Shell
Exploitation for Client Execution
Software Deployment Tools
Windows Management Instrumentation
|Persistence||TA0003||Boot or Logon Autostart Execution
•Registry Run Keys / Startup Folder
Create or Modify System Process
Hijack Execution Flow
Office Application Startup
Server Software Component
|Privilege Escalation||TA0004||Exploitation for Privilege Escalation
|Defense Evasion||TA0005||Hide Artifacts
•Hidden Files and Directories
•NTFS File Attributes
Indicator Removal on Host
•Clear Windows Event Logs
•Masquerade Task or Service
•Match Legitimate Name or Location
•Rename System Utilities
Obfuscated Files or Information
System Binary Proxy Execution
System Script Proxy Execution
Use Alternate Authentication Material
•Pass the Hash
•Pass the Ticket
|Credential Access||TA0006||Input Capture
OS Credential Dumping
•Credentials in Registry
File and Directory Discovery
Network Service Discovery
Network Share Discovery
Remote System Discovery
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
|Tactic||Tactic ID||Technique||Technique ID|
|Lateral Movement||TA0008||Lateral Tool Transfer
•SMB/Windows Admin Shares
Software Deployment Tools
|Collection||TA0009||Archive Collected Data||T1560|
|Command and Control||TA0011||Application Layer Protocol
Ingress Tool Transfer
|Exfiltration||TA0010||Exfiltration Over Alternative Protocol
•Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over C2 Channel
Recommendations & Mitigations
We have listed the steps to be taken in order to be protected from the threat and/or to minimize the possible damage according to the identified techniques, tactics, and procedures of the Ocean Lotus APT group.
Recommendations for Ocean Lotus APT Group
- Use strong passwords and multi-factor authentication
- Keep your software up to date
- Install a reputable security suite
- Be cautious when opening email attachments
- Don’t click on links in emails from unknown senders
- Avoid downloading pirated software or visiting illegal websites
Mitigations for Ocean Lotus APT Group
- Use strong passwords and multi-factor authentication: This will help to protect your accounts from being compromised by password guessing or brute force attacks. Multi-factor authentication adds an extra layer of security by requiring another form of verification, such as a code sent to your mobile phone, in addition to your password.
- Keep your software up to date: Outdated software can contain security vulnerabilities that can be exploited by attackers. By ensuring that your software is up to date, you can help to close these potential entry points.
- Install a reputable security suite: A good security suite can provide protection against a wide range of threats, including viruses, malware, and phishing attacks.
- Be cautious when opening email attachments: Email attachments may contain malicious code that can infect your computer. Before opening an attachment, make sure that you trust the sender and that you have scanned the attachment for viruses using reliable antivirus software.
- Don’t click on links in emails from unknown senders: Emails from unknown or untrustworthy sources may contain malicious code/attachments.
Ocean Lotus is well-resourced and executes its attacks with precision and care. The group uses a variety of custom tools, which suggests a high level of technical capability. Additionally, the group appears to have significant financial resources, as evidenced by its use of 0-day exploits and ability to mount long-term operations.