I was alerted to this ESET paper ( https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf) On page 15 (see screenshot) you can see that #OceanLotus uses DNS-based requests and encodes the name of the computer right there.
With access to a PassiveDNS database (thank you, @FarsightSecInc) you start with one domain, grab all IP-addresses it was hosted on. Look for new domains on those IPs. Try to find the pattern. Rinse and repeat. @MichaelKreil wrote the script. Resulted in more than 1000 names.
Sidenote: #Oceanlotus/ #APT32 has a somewhat weird anomaly when setting up their DNS infrastructure, specifically in the SOA-record. It should increment after changes, but doesn’t. Makes it easier to be sure you’re dealing with them.
So, we got more than 1000 names. Many of those are from researchers or sandboxes (e.g. “tequilaboomboom” from VT). But a huge chunk are Vietnamese first and last names. Nice for us as reporters to be able to verify the claim who this group is targeting by looking at PassiveDNS.
We also found names like “asean”. ASEAN has been targeted successfully back in 2017, as laid out in this blogpost by @Volexity https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/ To be sure, we reached out to ASEAN but never heard back.
I also want to point out another name: “aspac” (aspac13, aspac19, aspac-incoming etc.). @Bing_Chris had this dope story back at Cyberscoop https://www.cyberscoop.com/apt-32-trump-duterte-hacking-xi-jinping-vietnam/ If you look at the docs, you can see that ASPAC stands for “Office of Asian and Pacific Affairs”
A stolen Trump-Duterte transcript appears to be just one part of a larger hacking story - CyberScoop

A leaked transcript of a phone conversation between President Donald Trump and his Philippine counterpart was available online for weeks before surfacing in news reports, and it now appears to be...

https://www.cyberscoop.com/apt-32-trump-duterte-hacking-xi-jinping-vietnam/
While I was able to find out that #OceanLotus successfully targeted government entities in the Philippines in 2018, we just don’t know if these ASPACs are connected to those cases. Gov of Philippines never got back to us.
Finishing this thread.
Two options
If you’re interested in another technical tidbit, check out this thread, where you’ll come across a mistake (maybe!) that OceanLotus made jump right here
https://twitter.com/hatr/status/1314169879885471746
go back where you left off https://twitter.com/hatr/status/1314170667319910400
You can follow @hatr.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more