Investigators from Facebook’s cybersecurity team have traced a notorious hacker group believed to be operating on behalf of the Vietnamese government, to an IT company based in Vietnam. The probe has been launched after Facebook detected that the group, known as APT32 or Ocean Lotus, has been using its platform to spread malware.
APT32 has been accused for years of targeting Vietnamese human rights activists, various foreign governments and non-governmental organizations, news agencies and businesses across information technology, hospitality, agriculture and commodities, hospitals, retail, the auto industry, and mobile services.
According to Facebook, the hackers had used its platforms to carry out various malicious activities, some of which involved fake personas posing as activists and business entities, or romantic lures used when contacting targets.
Facebook said it found links between cyber espionage campaigns previously attributed to the group and CyberOne Group, an IT company in Vietnam (also known as CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet and Diacauso).
“The latest activity we investigated and disrupted has the hallmarks of a well-resourced and persistent operation focusing on many targets at once, while obfuscating their origin…To disrupt this operation, we blocked associated domains from being posted on our platform, removed the group’s accounts and notified people who we believe were targeted by APT32,” Facebook said.
When contacted by Reuters, CyberOne Group denied being connected to the hackers.
“We are NOT Ocean Lotus. It’s a mistake,” a person operating the company’s now-suspended Facebook page said.
The tech giant also revealed that it took action against a group based in Bangladesh which used Facebook’s platforms to target local activists, journalists and religious minorities. This group has been linked by the investigators to two non-profit organizations in Bangladesh: Don’s Team (also known as Defense of Nation) and the Crime Research and Analysis Foundation (CRAF). The company said it removed accounts linked to this group and shared the relevant information with its industry partners.