ATK17 (aka: APT32, SeaLotus, OceanLotus, APT-C-00) is a Vietnamese group that leverages a nearly continuous espionage campaign against various but well-defined targets, while maintaining a developed arsenal of tools. This group is known for the diversity of the lures that it uses in order to target its victims. ATK17 targeting foreign corporations with a vested interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. Furthermore, there are indications that ATK17 actors are targeting peripheral network security and technology infrastructure corporations. Furthermore, to focused targeting of the private sector with ties to Vietnam, ATK17 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since at least 2013. For instance, in 2017, social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines.
It is an active group, with diverse tools on multiple platforms (Windows and MacOS). This group is dangerous because of its unusual adaptablability even when discovered and has used multiple CVEs in order to reach its goals.
References
- FireEye, We believe we’re seeing an evolution and development in Iranian-based cyber activity. In years past, Iranian actors primarily committed politically motivated website defacement and DDoS attacks, https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf
- 04/04/2018, New MacOS Backdoor Linked to OceanLotus Found, https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/
- 08/05/2019, OceanLotus’ Attacks to Indochinese Peninsula: Evolution of Targets, Techniques and Procedure https://ti.360.net/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/
- 20/03/2019, Fake or Fake: Keeping up with OceanLotus decoys, https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
- 01/03/2018, OceanLotus Old techniques, new backdoor https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf
- 02/04/209 Report: OceanLotus APT Group Leveraging Steganography, https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html
- 17/10/2019, Report: The SpyRATs of OceanLotus, https://threatvector.cylance.com/en_us/home/report-the-spyrats-of-oceanlotus.html
- 01/02/2019, Tracking OceanLotus’ new Downloader, KerrDown, https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
- 25/04/2019, OceanLotus On ASEAN Affairs, https://blog.telsy.com/oceanlotus-on-asean-affairs/
- 14/05/2017, FireEye, Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations, https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
- 19/01/2014, EFF, Vietnamese Malware Gets Very Personal, https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal
- 30/03/2010, The chilling effects of malware, https://security.googleblog.com/2010/03/chilling-effects-of-malware.html
- 08/05/2019, 360Net, OceanLotus’ Attacks to Indochinese Peninsula: Evolution of Targets, Techniques and Procedure, https://ti.360.net/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/
- 25/04/2019, Telsy, OceanLotus On ASEAN Affairs, https://blog.telsy.com/oceanlotus-on-asean-affairs/
- 22/04/2020, FireEye, Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage, https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html