Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Vietnamese Hackers Target Human Rights Defenders: Amnesty

Between February 2018 and November 2020, Vietnam-linked hacking group Ocean Lotus targeted Vietnamese human rights activists in the country and abroad with spyware, a new report from Amnesty International reveals.

Between February 2018 and November 2020, Vietnam-linked hacking group Ocean Lotus targeted Vietnamese human rights activists in the country and abroad with spyware, a new report from Amnesty International reveals.

Also referred to as APT32, APT-C-00, SeaLotus, and Cobalt Kitty, Ocean Lotus is a highly sophisticated group that has been active since at least 2012, mainly focused on media, human rights, and civil society organizations, but also targeting Vietnamese political dissidents, foreign governments and companies.

The recently observed attacks were aimed at Vietnamese activists at home and abroad, clearly falling in line with previously observed targeting.

“The investigation conducted by Amnesty International’s Security Lab revealed that two HRDs and a non-profit human rights organization from Viet Nam have been targeted by a coordinated spyware campaign,” Amnesty reveals.

The first of the targets is blogger and pro-democracy activist Bui Thanh Hieu, also known as Nguoi Buon Gio (The Wind Trader), who covers topics such as social and economic justice, as well as human rights. A critic of the Vietnamese government’s policies, he has been living in Germany since 2013.

Between February 2018 and November 2020, Ocean Lotus also targeted Vietnamese Overseas Initiative for Conscience Empowerment (VOICE), a non-profit human rights organization that provides support to Vietnamese refugees.

Reprisal the organization and its staff faced over the years included harassment, travel bans, and confiscation of passports. Additionally, state-owned media in Vietnam has run a smear campaign against VOICE, calling the organization a terrorist group.

Ocean Lotus also targeted a blogger residing in Vietnam, who spoke out publicly about a January 2020 incident where thousands of security officers raided the Dong Tam village and killed several people.

Advertisement. Scroll to continue reading.

“Activists and bloggers were at the forefront of the public debate online, prompting a nationwide crackdown on online expression by the government. VOICE and the two bloggers all received emails containing spyware between February 2018 and November 2020,” Amnesty says.

The emails claimed to be carrying an important document, but instead included spyware, either attached or as a link. After execution, the malware would open a decoy document to trick the victim into believing the file was benign. The spyware targeted either macOS or Windows systems.

On Windows machines, a variant of the Ocean Lotus-exclusive malware Kerrdown was being deployed, to fetch additional spyware — in this case Cobalt Strike — thus providing the attackers with full access to the victim system.

On macOS systems, a variant of a spyware exclusively used by Ocean Lotus to target Apple’s desktop platform was used. The malware would offer access to system information, as well as the ability to download, upload, and execute files, or run commands.

“Our investigation was not able to attribute Ocean Lotus’ activities to any company or government entity. However, the extensive list of people and organizations targeted by Ocean Lotus over the years shows that it has a clear focus on targeting human rights and media groups from Viet Nam and neighboring countries. This raises questions about whether Ocean Lotus is linked to Vietnamese state actors,” Amnesty notes.

Related: Operations of Hacker Groups in Vietnam, Bangladesh Disrupted by Facebook

Related: Vietnamese Hackers Mount COVID-19 Espionage Campaigns Against China

Related: Vietnamese Spies Rival Notorious Russian Group in Sophistication

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.