Vietnamese Hackers of “Ocean Lotus” Are Targeting Human Rights Activists

• State-supported actors are targeting Vietnamese freedom of speech and human rights activists.
• The hackers are sending emails laced with a downloader which then fetches powerful spyware.
• Vietnam is going through dark times, bashing free journalism and upping online repression.

Vietnamese human rights activists and freedom of speech advocates are being actively targeted by sophisticated state-supported hackers of the “Ocean Lotus” (APT32) group. This is the same group of hackers that was attributed responsibility for cyber-attacks against BMW and Hyundai and the one that planted Monero miners on compromised targets to create a distraction.

This time, APT32 was “caught” by Amnesty International Security Lab, targeting a Vietnamese human rights defender (Bui Thanh Hieu) who lives in Germany, and also a Vietnamese NGO (VOICE – Vietnamese Overseas Initiative for Conscience Empowerment), which is based in the Philippines.

The technical evidence collected and analyzed by Amnesty’s agents indicates that the attacks happened between 2018 and 2020. The hackers attempted to infect the targets via emails that carried spyware attachments.

The payloads covered both macOS and Windows systems, and the variants used include the “Kerrdown” downloader, which then fetched the “Cobalt Strike” toolkit. The capabilities include keylogging, system information collection, upload or download of files, command execution, and file execution.

Vietnam has a 20/100 score on Freedom House, which gives the country a “Not Free” status. Political rights and civil liberties are increasingly getting undermined by the governing party (CPV), and many journalists, bloggers, and human rights activists are getting arrested, convicted as criminals, or physically assaulted at will.

In December 2020, we posted a piece on which countries use the highest number of Chinese surveillance cameras, and Vietnam came second in the world, indicative of the regime’s avocation with population control and pro-active repression. Also, just last month, the government passed a new “cybersecurity law” that requires Facebook, Google, and all IT companies offering services in the country to store user data locally and make it accessible to state authorities.

If you fight or advocate for human rights and freedom of speech in Vietnam, be very careful with all incoming communications, especially emails with attachments. Do not click on shortened links, do not give apps access to your Google account willy-nilly, keep all your software and OS updated, use a reliable AV tool, and enable 2FA wherever that’s possible. “Ocean Lotus” is a sophisticated actor, but if you follow certain precautionary measures without deviation, it’ll be quite hard for the hackers to compromise you.