Between February 2018 and November 2020, Vietnam-linked hacking group Ocean Lotus targeted Vietnamese human rights activists in the country and abroad with spyware, a new report from Amnesty International reveals.
Also referred to as APT32, APT-C-00, SeaLotus, and Cobalt Kitty, Ocean Lotus is a highly sophisticated group that has been active since at least 2012, mainly focused on media, human rights, and civil society organizations, but also targeting Vietnamese political dissidents, foreign governments and companies.
The recently observed attacks were aimed at Vietnamese activists at home and abroad, clearly falling in line with previously observed targeting.
“The investigation conducted by Amnesty International’s Security Lab revealed that two HRDs and a non-profit human rights organization from Viet Nam have been targeted by a coordinated spyware campaign,” Amnesty reveals.
The first of the targets is blogger and pro-democracy activist Bui Thanh Hieu, also known as Nguoi Buon Gio (The Wind Trader), who covers topics such as social and economic justice, as well as human rights. A critic of the Vietnamese government’s policies, he has been living in Germany since 2013.
Between February 2018 and November 2020, Ocean Lotus also targeted Vietnamese Overseas Initiative for Conscience Empowerment (VOICE), a non-profit human rights organization that provides support to Vietnamese refugees.
Reprisal the organization and its staff faced over the years included harassment, travel bans, and confiscation of passports. Additionally, state-owned media in Vietnam has run a smear campaign against VOICE, calling the organization a terrorist group.
Ocean Lotus also targeted a blogger residing in Vietnam, who spoke out publicly about a January 2020 incident where thousands of security officers raided the Dong Tam village and killed several people.
“Activists and bloggers were at the forefront of the public debate online, prompting a nationwide crackdown on online expression by the government. VOICE and the two bloggers all received emails containing spyware between February 2018 and November 2020,” Amnesty says.
The emails claimed to be carrying an important document, but instead included spyware, either attached or as a link. After execution, the malware would open a decoy document to trick the victim into believing the file was benign. The spyware targeted either macOS or Windows systems.
On Windows machines, a variant of the Ocean Lotus-exclusive malware Kerrdown was being deployed, to fetch additional spyware — in this case Cobalt Strike — thus providing the attackers with full access to the victim system.
On macOS systems, a variant of a spyware exclusively used by Ocean Lotus to target Apple’s desktop platform was used. The malware would offer access to system information, as well as the ability to download, upload, and execute files, or run commands.
“Our investigation was not able to attribute Ocean Lotus’ activities to any company or government entity. However, the extensive list of people and organizations targeted by Ocean Lotus over the years shows that it has a clear focus on targeting human rights and media groups from Viet Nam and neighboring countries. This raises questions about whether Ocean Lotus is linked to Vietnamese state actors,” Amnesty notes.