Read on Twitter
NEW:
#APT32/ #OceanLotus is targeting dissidents, human rights workers and journalists across
In a joint investigation with @zeitonline, we retraced their steps, did tons of technical work, spoke w/ affected people and Germany’s top domestic spy. (1/x) https://web.br.de/interaktiv/ocean-lotus/
#APT32/ #OceanLotus is targeting dissidents, human rights workers and journalists across
In a joint investigation with @zeitonline, we retraced their steps, did tons of technical work, spoke w/ affected people and Germany’s top domestic spy. (1/x) https://web.br.de/interaktiv/ocean-lotus/
On the technical side, we looked at
- PassiveDNS databases to find out who the group targeted
- phishing mails to see what kind of malware was dropped
- technical infrastructure – where we found a mistake they apparently made
- PassiveDNS databases to find out who the group targeted
- phishing mails to see what kind of malware was dropped
- technical infrastructure – where we found a mistake they apparently made
If you are interested in using PassiveDNS for this kind of investigation, check this thread https://twitter.com/hatr/status/1314168813110415361
If you’re interested in the (what I think is a ) mistake they made, check this thread https://twitter.com/hatr/status/1314169879885471746
APT32, in one case, precisely knew when one of the most famous Vietnamese bloggers (“Wind Trader”) planned to visit Stuttgart. They used that knowledge to target him with a Mac-based backdoor. A variant of the one described here by @JaromirHorejsi https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html
In another case, in which @stevenadair was kind enough to help us, OceanLotus tried to drop Cobalt Strike on the machine of a german journalist (and other people, we know of 3). She didn’t click. She was suspicious when seeing the mail in her inbox.
One thing to mention: While companies can count on government entities to reach out to them if they know about ongoing campaigns, this doesn’t happen with dissidents/people in human rights work.
There are many reasons for that (hard to judge intent by looking at a phishing-mail, for one), but important to point out that it feels weird/bad that these people have to rely on intel researchers to reach out – as @Volexity did in one case we’re reporting on.
In our article we quote Thomas Haldenwang, top domestic spy. He says, on record, that his agency sees “distinct connections” to Vietnam when talking about APT32. However no clear evidence pointing to state-sponsoredness.
What I found to be curious: APT32/OceanLotus is one of the rare cases – I know of – in which a hacker group gave themselves a name (or adapted it), back in 2011. And that name is Sinh TỠLệnh. It has a very interesting back story.
The name is taken from a character that appears in Jin Yong’s novels. Yong is famous in China, also in Vietnam. Sinh TỠLệnh is referring to a (sort of) “Life and Death”-talisman. If you get attacked by it, you’ll feel never-ending pain.
The pain will stop only if you obey your master. Which is what the hackers are doing, in a way. Malware to make you obey or feel pain. Attribution-wise, I think this is telling (while I wouldn’t read too much into it.)
That’s it. This investigation – with @zeitonline – has been consuming me for many months. I’m glad the story is out there. I think the visuals are wildly beautiful.
An English version is, hopefully, coming soon.
An English version is, hopefully, coming soon.
P.S.: I was able to sneak in a little joke threat intel researchers make when referring to #OceanLotus/ #APT32 – the hackers are the "the world's least authorized red team"
