The security team of Facebook exposed the true identities of APT32, one of the most active state-sponsored hacking organizations today, which is believed to be affiliated to the Vietnamese government.
This information became available in an unexpected announcement on Thursday where Facebook’s security team said they took this step after they found out that APT32 was using Facebook’s platform for the distribution of malware.
According to the Head of Security Policy at Facebook, Nathaniel Gleicher, and the Cyber Threat Intelligence Manager Mike Dvilyanski, the investigation of this malware distribution operation led to an IT company in Vietnam named CyberOne Group.
The OceanLotus malware linked to Cyberone Group
The security team of Facebook reveals that APT32 has worked on the platform by developing profiles and pages of fake personas, typically presented as activists or as representatives of companies.
The malicious group would use various lures and tactics to share links to different domains with their targets that were either hacked or operated by themselves.
Typically, the malicious links would redirect the users to phishing or malware-infected sites, or even to malicious Android applications, which the gang has uploaded to the official Play Store with the idea to spy on their victims.
According to what Facebook security team’s investigation has revealed, the common targets of the malware-distribution campaign were human rights activists in Vietnam and abroad, as well as non-governmental organizations, news agencies, foreign governments, and businesses related to information technology, hospitality, agriculture, and commodities, auto industry, mobile services, hospitals and more.
Facebook says that, in addition to shutting down the group’s profiles and websites, they have restricted the APT32’s domains meaning they can’t be re-used again in the future under new accounts.
The security team has also shared YARA rules and malware signatures that other security firms and social networks can use to protect their users.
The APT32 group is also sometimes referred to as OceanLotus and is believed to have begun working in 2014.
All the activities of the group in the past have been associated with attacks that serve the interests of the Vietnamese government. This includes operations that target neighboring countries, as well as attacks on political dissidents and activists, and private businesses.
The name of the APT32 group has been linked to a persistent campaign in 2019, aimed at stealing intellectual property from BMW, Toyota, and Hyundai in support of the Vietnamese state-sponsored automotive startup named VinFast.
Furthermore, APT32 has been detected collecting COVID-19 details by targeting government officials in Wuhan, China, where the initial cases of the coronavirus have been registered.
This flexibility of APT32’s group indicates that it acts as a quite mature threat actor capable of changing strategies and hacking techniques, as well as using an arsenal of hacking tools. The group successfully employs methods like social engineering, drive-by-downloads, custom malware, open-source tools misuse, macOS malware, custom malware, and different public exploits.
According to Facebook, this sophistication is attributed to the fact that APT32 is backed up by an actual cybersecurity company.
Various cybersecurity media are commenting on the actions taken by Facebook as impressive and controversial since, until now, only anonymous vigilantes and prosecutors were engaged with doxing nation-state groups.
Cyber-security organizations are typically not open about their attribution to any government and their links to local contractors or different intelligence agencies. Therefore, Facebook’s dox is expected to be heavily disputed in the coming days.