Cyber espionage actors, designated by FireEye as APT32 (OceanLotus
Group), are actively intruding in private companies in multiple
industries, and have also targeted governments, dissidents and
journalists
Tribune libre by Nick Carr, senior manager for mandatory incident response at FIREEYE
FireEye believes that APT32 relies on a specific suite of malware with full functionality, in conjunction with other tools available on the market, to conduct targeted operations that are aligned with Vietnam's national interests.
APT32 targets private sector business activities in South East AsiaSince at least 2014, FireEye has observed APT32 targeting foreign companies with direct interests in the manufacturing, consumer products and hospitality sectors in Vietnam. In addition, there are indications that APT32 stakeholders are targeting companies specializing in network security and IT infrastructure, as well as consulting firms that can be linked with foreign investors.Here is the detail of the intrusions analyzed by FireEye that are attributed to APT32 since 2014:
· In 2014, a European company was attacked before building a manufacturing plant in Vietnam.
· In 2016, Vietnamese and foreign companies working in the areas of network security, IT infrastructure, banking and media were targeted.· In the middle of 2016, a malware that FireEye believes to be specific to APT32 has been detected on the networks of a global player in the hospitality industry, which plans to expand its operations in Vietnam.
· In 2016 and 2017, two subsidiaries of US and Philippine consumer products companies operating in Vietnam were targeted by APT32.· In 2017, APT32 attacked the offices of a multinational consulting firm.
APT32 activities in the field of international relations and policyIn addition to its activities in the private sector with links to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since 2013. Here is the detail of this activity:· A public blog published by the Electronic Frontier Foundation reported that journalists, activists, dissidents and bloggers were targeted in 2013 by malware and tactics related to APT32 operations.
· In 2014, APT32 operated a spear phishing attack called "Plans to Fight Protesters at the Embassy of Vietnam.exe," which targeted dissident activities in the Vietnamese diaspora in South East Asia . Also in 2014, APT32 led an intrusion into the Parliament of a Western country.
· In 2015, SkyEye Labs, the security research division of the Chinese company Qihoo 360, published a report detailing threat agents targeting Chinese public and private organizations, including government agencies, research institutes, Shipping agencies and shipping and shipbuilding companies. The information in this report indicated that the attackers used the same malware, infrastructure and targets as APT32.· In 2015 and 2016, two Vietnamese media were targeted with a malware that FireEye
believes to be specific to APT32.
· In 2017, the social engineering content in the decoys used by an actor provided evidence that the attack was likely aimed at members of the Vietnamese diaspora in Australia as well as government employees in the Philippines.
Tactics used by APT32In its attacks, APT32 exploited ActiveMime files and used social engineering methods to induce the victim to trigger macros. When running, the file downloads multiple malicious content from remote servers. APT32 players continue to deliver malicious content via phishing emails today.The APT32 actors have designed lure documents in several languages suited to specific victims. Even though these files had ".doc" extensions, the retrieved phishing lures were ActiveMime ".mht" web pages containing text and images. These files were probably created by exporting Word documents to web page files.
APT32 operators have implemented several innovative techniques to track the effectiveness of their phishing attacks, control the distribution of their malicious documents, and establish persistent mechanisms to dynamically update the backdoors injected into the memory of Their targets.
In order to track who opened the phishing emails, viewed the links and downloaded the attachments in real time, APT32 used an email analytics software in cloud mode used by commercial companies. In some cases APT32 has completely abandoned the use of email attachments to rely exclusively on this tracking technique with links to its remotely hosted ActiveMime decoys on legitimate cloud storage services.
--To improve its visibility on the distribution of its phishing lures, APT32 used the native webpage functionality of its ActiveMime documents to connect to images hosted remotely in the infrastructure it controlled.
Malware and APT32 Infrastructure
APT32 appears to have extensive development resources and uses a customized backdoor suite that covers multiple protocols. The operations of APT32 are characterized by the deployment of malware whose signatures include WINDSHIELD, KOMPROGO, SOUNDBITE and PHOREAL. APT32 often deploys these stolen doors in conjunction with the Cobalt Strike BEACON backdoor available on the market. APT32 also has backdoor development capabilities for macOS.
Perspectives and Implications
Based on incident investigations, product detections, observations from intelligence analysts, and additional publications, FireEye believes that APT32 is a cyber espionage group aligned with the interests of government Of Vietnam. The targeting of private interests by APT32 is notable and FireEye believes that this player represents a significant risk for companies that are doing business or are preparing to invest in the country. Although the motivation of each of the APT32 attacks against the private sector varied - and in some cases could not be known, unauthorized intrusion could serve as a basis for judicial inquiries, intellectual property theft or Anti-corruption measures that could ultimately erode the competitive advantages of the target companies. In addition, APT32 continues to threaten political activism and freedom of opinion in South East Asia and in public administrations around the world. Governments, journalists and members of the Vietnamese diaspora will continue to serve as targets.
Although actors such as China, Iran, Russia and North Korea remain the most active sources of cyber threats that FireEye follows and deals with, APT32 reflects a growing group of new countries that have adopted This dynamic capacity. APT32 demonstrates the impact that offensive capabilities can have if players have the right investments and the flexibility to master new tools and techniques. An increasing number of countries conducting efficient and low-cost cyber operations, public awareness of these threats and a renewed dialogue are needed about intrusions by nation states that go beyond the targets of the sector Public and intelligence.
💌 Follow by Email:Digital Channel
🌍🔍 Search Google :digitalchanneltv.tk
Click Index You Might Be Interested
Tweet to @adesignmedia
FireEye believes that APT32 relies on a specific suite of malware with full functionality, in conjunction with other tools available on the market, to conduct targeted operations that are aligned with Vietnam's national interests.
APT32 targets private sector business activities in South East AsiaSince at least 2014, FireEye has observed APT32 targeting foreign companies with direct interests in the manufacturing, consumer products and hospitality sectors in Vietnam. In addition, there are indications that APT32 stakeholders are targeting companies specializing in network security and IT infrastructure, as well as consulting firms that can be linked with foreign investors.Here is the detail of the intrusions analyzed by FireEye that are attributed to APT32 since 2014:
· In 2014, a European company was attacked before building a manufacturing plant in Vietnam.
· In 2016, Vietnamese and foreign companies working in the areas of network security, IT infrastructure, banking and media were targeted.· In the middle of 2016, a malware that FireEye believes to be specific to APT32 has been detected on the networks of a global player in the hospitality industry, which plans to expand its operations in Vietnam.
· In 2016 and 2017, two subsidiaries of US and Philippine consumer products companies operating in Vietnam were targeted by APT32.· In 2017, APT32 attacked the offices of a multinational consulting firm.
APT32 activities in the field of international relations and policyIn addition to its activities in the private sector with links to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since 2013. Here is the detail of this activity:· A public blog published by the Electronic Frontier Foundation reported that journalists, activists, dissidents and bloggers were targeted in 2013 by malware and tactics related to APT32 operations.
· In 2014, APT32 operated a spear phishing attack called "Plans to Fight Protesters at the Embassy of Vietnam.exe," which targeted dissident activities in the Vietnamese diaspora in South East Asia . Also in 2014, APT32 led an intrusion into the Parliament of a Western country.
· In 2015, SkyEye Labs, the security research division of the Chinese company Qihoo 360, published a report detailing threat agents targeting Chinese public and private organizations, including government agencies, research institutes, Shipping agencies and shipping and shipbuilding companies. The information in this report indicated that the attackers used the same malware, infrastructure and targets as APT32.· In 2015 and 2016, two Vietnamese media were targeted with a malware that FireEye
believes to be specific to APT32.
· In 2017, the social engineering content in the decoys used by an actor provided evidence that the attack was likely aimed at members of the Vietnamese diaspora in Australia as well as government employees in the Philippines.
Tactics used by APT32In its attacks, APT32 exploited ActiveMime files and used social engineering methods to induce the victim to trigger macros. When running, the file downloads multiple malicious content from remote servers. APT32 players continue to deliver malicious content via phishing emails today.The APT32 actors have designed lure documents in several languages suited to specific victims. Even though these files had ".doc" extensions, the retrieved phishing lures were ActiveMime ".mht" web pages containing text and images. These files were probably created by exporting Word documents to web page files.
APT32 operators have implemented several innovative techniques to track the effectiveness of their phishing attacks, control the distribution of their malicious documents, and establish persistent mechanisms to dynamically update the backdoors injected into the memory of Their targets.
In order to track who opened the phishing emails, viewed the links and downloaded the attachments in real time, APT32 used an email analytics software in cloud mode used by commercial companies. In some cases APT32 has completely abandoned the use of email attachments to rely exclusively on this tracking technique with links to its remotely hosted ActiveMime decoys on legitimate cloud storage services.
--To improve its visibility on the distribution of its phishing lures, APT32 used the native webpage functionality of its ActiveMime documents to connect to images hosted remotely in the infrastructure it controlled.
Malware and APT32 Infrastructure
APT32 appears to have extensive development resources and uses a customized backdoor suite that covers multiple protocols. The operations of APT32 are characterized by the deployment of malware whose signatures include WINDSHIELD, KOMPROGO, SOUNDBITE and PHOREAL. APT32 often deploys these stolen doors in conjunction with the Cobalt Strike BEACON backdoor available on the market. APT32 also has backdoor development capabilities for macOS.
Perspectives and Implications
Based on incident investigations, product detections, observations from intelligence analysts, and additional publications, FireEye believes that APT32 is a cyber espionage group aligned with the interests of government Of Vietnam. The targeting of private interests by APT32 is notable and FireEye believes that this player represents a significant risk for companies that are doing business or are preparing to invest in the country. Although the motivation of each of the APT32 attacks against the private sector varied - and in some cases could not be known, unauthorized intrusion could serve as a basis for judicial inquiries, intellectual property theft or Anti-corruption measures that could ultimately erode the competitive advantages of the target companies. In addition, APT32 continues to threaten political activism and freedom of opinion in South East Asia and in public administrations around the world. Governments, journalists and members of the Vietnamese diaspora will continue to serve as targets.
Although actors such as China, Iran, Russia and North Korea remain the most active sources of cyber threats that FireEye follows and deals with, APT32 reflects a growing group of new countries that have adopted This dynamic capacity. APT32 demonstrates the impact that offensive capabilities can have if players have the right investments and the flexibility to master new tools and techniques. An increasing number of countries conducting efficient and low-cost cyber operations, public awareness of these threats and a renewed dialogue are needed about intrusions by nation states that go beyond the targets of the sector Public and intelligence.
💌 Follow by Email:Digital Channel
🌍🔍 Search Google :digitalchanneltv.tk
Click Index You Might Be Interested
suivre Dhaouadi Aymensur
