A hacking group that researchers believe is working for Vietnam's government ran almost twenty fake websites and several Facebook pages in an attempt to gather information on visitors and infect some of them with malware, according to new research.
The cybersecurity firm Volexity published a report on Friday accusing the group known as OceanLotus of creating and maintaining a series of websites that appeared to be legitimate news websites, but instead were filled with articles scraped from other publications. The group, also known as APT32, has recently targeted the government in Wuhan and other Chinese targets in an attempt to collect evidence on COVID-19.
This new research shows that government hacking groups are getting more creative in targeting victims, and are willing to run entire websites with the goal of hacking their targets.
"We do not have much information on who they have surgically targeted," Steven Adair, the founder of Volexity, said in an online chat. "However, we do know they have been building content and engaging with people that would be interested in Vietnamese politics or news that would certainly be different than what would be published from official Vietnamese Government sources."
Vietnam is ranked as one of the worst countries of the world in terms of press freedom, according to the annual Reporters Without Borders ranking.
Adair, who is the lead researcher on the report, said that this hacking campaign was focused mainly on Vietnamese speakers, but also people living in neighboring countries such as Cambodia, Malaysia, Laos, and the Philippines.
The sites—some with more than 10,000 articles in them—contained a "profiling framework" designed to track who visited them and deliver malware in some cases. One site in particular, nhansudaihoi13.org, is dedicated to the upcoming 13th Vietnamese Communist Congress. The site had a corresponding Facebook page with more than 1,000 likes, according to Volexity.
Do you have any information on OceanLotus or another government hacking group? We'd love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, on Wickr at lorenzofb, OTR chat at email@example.com, or email firstname.lastname@example.org.
Motherboard sent an message to an email address that appears on the site, but we haven't received an answer.
Facebook said that it removed the page two months ago as part of the company's monitoring of malicious activity on the platform.
Volexity also said they found malware created by OceanLotus to target victims using Windows, MacOS, and Android. The hackers put the malware only on some pages on the websites. When visitors accessed these pages, a script would capture information on the visitor, and then a second script was designed to trick targets into downloading malware-laden software updates or documents, according to Volexity.
Cybersecurity firms like FireEye have linked OceanLotus to the government of Vietnam. In this case, Volexity found that the websites all contained a framework to track visitors that was a "variation" of a previous framework used by OceanLotus.
"We do believe and agree with others that OceanLotus is based out of Vietnam and most likely tied to their Government," Adair said. "Volexity does not typically look to get into detailed or actual attribution, but there is no other logical explanation as to who would be behind this activity. The amount of time and effort it takes to build these campaigns, malware, infrastructure, etc is immense."
Earlier this year, Vietnam's Ministry of Foreign Affairs deputy spokesperson Ngo Toan Thang called accusations of Vietnam's involvement in OceanLotus activity as "groundless information."
"Vietnam strictly bans all cyber-attacks against organizations and individuals in any form," the spokesperson said at the time.
Would you like to read more stories about hacking, privacy, and surveillance? Subscribe to our pop-up 'zine The Mail. The next issue is about hacking culture.