Facebook links activities of OceanLotus hackers to IT firm in Vietnam

The social network has barred Vietnamese APT32 and a Bangladeshi group of hackers from using its platforms for their malicious purposes.

The social network has barred Vietnamese APT32 (or OceanLotus) and a Bangladeshi group of hackers from using its platforms for their malicious purposes.

Nathaniel Gleicher, Facebook’s Head of Security Policy, and the company’s Cyber Threat Intelligence Manager Mike Dvilyanski announced on Thursday that they have acted against two different groups of hackers.

One group is based in Bangladesh and the other in Vietnam, but both are unconnected groups that targeted people on Facebook and elsewhere across the web using diverse tactics. 

The social network revealed that the Facebook pages and accounts of these groups had been removed and the information about these groups will be shared with industry partners. 

According to the Newsroom post from Facebook, the Bangladeshi group of hackers targeted journalists, local activists, and religious minorities, some of which were based overseas. The group compromised its targets’ accounts so that Facebook disables their pages for violating its community standards. 

Facebook has put an end to these groups’ ability to abuse its platform, hack others’ accounts, distribute malware, or perform similar malicious tasks using their infrastructure. Facebook was able to link the malicious activities of the unnamed Bangladeshi group to two non-profit organizations, namely, Don’s Team (aka Defense of Nation) and the Crime Research and Analysis Foundation (CRAF). 

Both these organizations worked in collaboration and reported about people’s “fictitious violations” of its community standards. This included “alleged impersonation, intellectual property infringements, nudity, and terrorism.”

Moreover, the groups hacked pages and accounts and used some of the compromised accounts for amplifying their content or other operational purposes. 

 “On at least one occasion, after a page administrator’s account was compromised, they removed the remaining admins to take over and disable the page.”

The Vietnamese group APT32 (also known as OceanLotus) focused more on spreading malware to its victims. In contrast, the Bangladeshi hackers were involved in compromising accounts across different platforms and targeting accounts to be removed from Facebook.

In Vietnam, Facebook found links to an advanced persistent threat actor, APT32, targeted Vietnamese human rights activists (both local and abroad), non-government organizations, foreign governments (e.g. Laos and Cambodia), news agencies, and businesses across diverse sectors including retail outlets, hospitals, hospitality services, agriculture, IT, mobile, and automobile with malware. 

This group also lured its victims into downloading Android apps through Google Play Store. These apps asked for a wide range of permissions and allowed the attackers to spy on their targets’ devices.

It is worth noting that OceanLotus was also behind the Toyota data breach in which 3.1 million customer accounts were stolen. The same group recently was also identified injecting malware in Windows error report and spreading a backdoor called Backdoor.MacOS.OCEANLOTUS.F against macOS devices.

Gleicher and Dvilyanski explained that they were able to link the Vietnamese group’s traces to a local IT company. 

“Our investigation linked this activity to CyberOne Group, an IT company in Vietnam (also known as CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet, and Diacauso).”

APT32 created fake personas and acted as businesspeople or activists, and even users “romantic lures” to lure its victims. They created “backstops for these fake personas and fake organizations on other internet services so they appear more legitimate and can withstand scrutiny, including by security researchers. Some of its pages were designed to lure particular followers for later phishing and malware targeting.”

Facebook further identified that the targeted hacking operations were carried out via off-platform tactics like device compromise, email, or abusing Facebook’s account recovery process.

Did you enjoy reading this article?  Don’t forget to like our page on Facebook and follow us on Twitter

Related Posts