In a recent development that has raised significant concern in the digital security landscape, researchers have uncovered that Vietnamese human rights organizations have been under persistent cyberattack by the group known as OceanLotus. This sophisticated cyber espionage operation, which has been ongoing for more than four years, highlights the continuous threat that non-profit organizations, especially those focused on human rights, face in today’s digital world.
Discovery of Cyberattack Traces
Huntress, a cybersecurity firm, identified OceanLotus, also referred to as APT32, APT-C-00, and Canvas Cyclone, as the perpetrator. This group, believed to have ties to the Vietnamese government, was found to have targeted four computers within the Vietnamese human rights organizations. The intrusion was detected during a routine investigation, and the investigation revealed a series of sophisticated tactics employed by the attackers.
Methods of Attack and Persistence
The attackers were able to maintain a presence on the targeted computers through the deployment of five scheduled tasks. These tasks were disguised as Adobe Flash updates, Microsoft Defender updates, and executed various scripts such as Windows Script, Java, Metasploit, Cobalt Strike payloads, processed Shell Code, and VBS commands. Additionally, the attackers utilized BAT batch files and COM objects to ensure their operations continued undetected for weeks.
The primary goal of these tasks was to establish a persistent connection to a remote server, enabling the attackers to monitor and control the compromised machines. To achieve this, OceanLotus set up a backdoor through the DllHost COM object, aiming to steal cookies from the Chrome browser. This sophisticated approach allowed the attackers to maintain access to sensitive data and operations within the human rights organizations.
Escalation and Further Targets
The investigation did not end there. Upon discovering the first instance of attack, researchers traced the attackers’ methods and found further evidence of their operations. They identified another computer that had been targeted by OceanLotus, approximately one and a half months after the initial attack. The attackers used the Windows Management Instrumentation (WMI) to remotely execute commands and exploited the Calibre ebook management software to run malicious DLL programs.
Furthermore, the attackers conducted a name pipe impersonation attack, which led them to target the third computer. They employed Cobalt Strike to set up a scheduled task using SYSTEM privileges, indicating a significant level of access and control over the organization’s infrastructure.
Broader Implications and Prevention
The discovery of these cyberattacks on Vietnamese human rights organizations underscores the ongoing threat of state-sponsored cyber espionage and the importance of robust cybersecurity measures for non-profit organizations. These groups often deal with sensitive information and critical human rights issues, making them attractive targets for malicious actors.
Organizations must implement comprehensive security protocols, including regular vulnerability assessments, employee training on cybersecurity best practices, and the use of advanced security tools to detect and mitigate potential threats. Collaboration with cybersecurity experts and intelligence agencies can also provide organizations with the necessary resources to identify and respond to cyber threats effectively.
In conclusion, the prolonged cyberattack on Vietnamese human rights organizations by the OceanLotus group serves as a stark reminder of the evolving tactics employed by cybercriminals and the need for heightened vigilance and preparedness in the digital domain. This incident highlights the importance of continuous cybersecurity education, robust security measures, and proactive threat monitoring for organizations to protect their data and operations.
Views: 0