Image via Alex Haney
In a surprising and unexpected announcement on Thursday, the Facebook security team has revealed the real identity of APT32, one of today’s most active state-sponsored hacking group, believed to be linked to the Vietnamese government.
The company said it took this step after it detected APT32 using its platform to spread malware in attempts to infect users.
“Our investigation linked this activity to CyberOne Group [archived website, archived Facebook page], an IT company in Vietnam (also known as CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet and Diacauso),” said Nathaniel Gleicher, Head of Security Policy at Facebook, and Mike Dvilyanski, Cyber Threat Intelligence Manager.
A CyberOne spokesperson could not be reached for comment over the phone, as a previously listed phone number was offline. Emails sent to the company bounced.
APT32 used Facebook to approach targets
According to Gleicher and Dvilyanski, APT32 operated on Facebook by creating accounts and pages for fictitious personas, usually posing as activists or business entities.
Using romantic or other lures, the group would often share links with their targets to various domains they either hacked or operated themselves.
The links would usually lead to phishing or malware, or would even include links to Android apps that the group had managed to upload on the official Play Store, allowing them to spy on their victims.
Based on its insights into this campaign, Facebook said the group targeted entities such as:
- Vietnamese human rights activists locally and abroad
- Foreign governments, including those in Laos and Cambodia
- Non-governmental organizations
- News agencies
- and, businesses across information technology, hospitality, agriculture and commodities, hospitals, retail, the auto industry, and mobile services
Facebook said that besides taking down the group’s accounts and pages, they have also blocked the group’s domains, so they can’t be re-used again under new accounts APT32 might set up in the future.
The social network also shared YARA rules and malware signatures, so other social networks and security firms can also take action and protect their users.
A long string of hacks
Believed to have begun operating in 2014, the APT32 group is also often referred to as OceanLotus.
Its past operations are a literal smorgasbord of activity, and the group has been linked to attacks on almost everything of interest to the Vietnamese state.
This not only included the affairs of neighboring countries, but also attacks on political dissidents and activists, and even private businesses that the group might believe are of interest to the Vietnamese government.
The best example of this targeting has been the group’s widespread attacks on automakers in 2019. In what experts have described as a persistent campaign to steal intellectual property to support Vietnam’s state-funded fledgling automotive startup VinFast, the group hit and stole data from the likes of BMW, Hyundai, Toyota Australia, Toyota Japan, and even Toyota Vietnam, all in succession, in a small time window.
Furthermore, when the coronavirus pandemic hit the world earlier this year, APT32 also re-focused on gathering COVID-19 data, even targeting government officials in Wuhan, China, where the first cases were recorded, seeking information about the disease.
This versatility in targeting is a staple of a mature threat actor. But this versatility also extends to its arsenal of hacking tools. Social engineering, drive-by downloads, Office bugs, custom malware, abusing open-source tools, public exploits, macOS malware — the group has used them all.
Although often ignored in cyber-security reports because of its links to Vietnam, the group has often shown prowess in shifting tactics and hacking tools across the years, a sign that they have the resources and knowledge to adapt.
Facebook’s dox will be controversial & disputed
According to Facebook, this maturity comes from the fact that behind APT32 is an actual cyber-security firm, one that’s still hiring even today, according to recent job posts.
But if Facebook is accurate in its dox remains to be seen.
Facebook’s actions are surprising, to say the least, and are bound to attract scrutiny not only from government officials in Vietnam and all the hacked countries but also from the cyber-security industry.
This is because doxing nation-state groups is something that has been, until today, left to prosecutors or anonymous vigilantes only.
Cyber-security firms usually tip-toe around attribution to any government, let alone linking groups to various intelligence agencies or local contractors.
Besides the US Department of Justice and a group known as IntrusionTruth, nobody has dared cross this line. Well, except FireEye, which doxed some Russian malware and then got hacked by a suspected Russian group.
But if we learned anything, it is that the DOJ is usually also reading and looking into any public doxing of nation-state groups. Three of the four IntrusionTruth doxings have eventually turned into official DOJ cases.