A new report from Amnesty International says between February 2018 and November 2020, Vietnamese hackers targeted Vietnamese human rights activists with spyware.
Vietnamese hacking group known as Ocean Lotus is reportedly behind the attacks.
Ocean Lotus, other names include APT32, APT-C-00, SeaLotus, and Cobalt Kitty, is a group of hackers that has been active since at least 2012. They mainly focus their disruptive activities on Vietnamese media, human rights, and civil society organizations, political dissidents, but also foreign governments and companies.
In the recent attacks, they focused their efforts on activists and abroad both in Vietnam and abroad.
“The investigation conducted by Amnesty International’s Security Lab revealed that two HRDs and a non-profit human rights organization from Viet Nam have been targeted by a coordinated spyware campaign,” Amnesty reveals in their report.
One of the targets was a pro-democracy blogger and activist Bui Thanh Hieu, also known as The Wind Trader. Living in Germany since 2013, he writes revealing pieces on topics such as social and economic justice and human rights.
Among the targeted by Ocean Lotus was the Vietnamese Overseas Initiative for Conscience Empowerment (VOICE), a non-profit human rights organization.
Ocean Lotus also targeted a Vietnamese blogger who publicly criticized the government for a January 2020 incident when security officers killed several people in a raid on the village of Dong Tam.
The two bloggers and VOICE received emails containing spyware between February 2018 and November 2020, Amnesty says. The spyware was either attached or included as a link. After opening either the file or link, the malware would open a legitimate-looking document tricking the victim into believing the file was benign.
To infiltrate Windows machines, Ocean Lotus used their custom malware called Kerrdown which would then fetch additional spyware, in this case, Cobalt Strike. If the operation was successful, the attackers would gain full access to the victim’s system.
To infiltrate macOS systems, they used a different variant of their own spyware. The malware would allow them to see system information and give them the ability to run commands and download, upload, and execute files.
The AI researchers couldn’t attribute Ocean Lotus’ activities to any company or government. However, they said, “the extensive list of people and organizations targeted by Ocean Lotus over the years shows that it has a clear focus on targeting human rights and media groups from Viet Nam and neighboring countries.” This raises suspicions that Ocean Lotus is linked to Vietnamese state actors, Amnesty International said.