Since Volexity’s 2017 discovery that OceanLotus was behind a sophisticated
massive digital surveillance campaign, the threat group has continued to evolve. In 2019, Volexity gave
a presentation at
RSA Conference that provided a historic and up-to-date look at various operations of the Vietnamese threat actor OceanLotus. Notably, the presentation revealed that, for years, OceanLotus set up and operated multiple activist, news, and anti-corruption websites. At first glance, it appeared these were real websites that had been compromised. These fake websites were convincingly legitimate and allowed OceanLotus to have full control over the tracking of and attacks against website visitors. The most popular of these websites even had a corresponding Facebook page with over
20,000 followers. Shortly after the presentation was given, these websites were shut down or abandoned.
However, old habits and successful techniques die hard. Volexity has identified multiple new attack campaigns being launched by OceanLotus via multiple fake websites and Facebook pages that have been set up within the last year. In addition to targeting those within Vietnam, Volexity has seen renewed targeting of OceanLotus’s neighbors throughout Southeast Asia. These websites have been observed profiling users, redirecting to phishing pages, and being leveraged to distribute malware payloads for Windows and OSX. This post will focus on one of the larger campaigns where OceanLotus has leveraged multiple fake news websites to target users.
Throughout the year, Volexity identified multiple Vietnamese-language news websites that appeared to be compromised, as they were being used to load an OceanLotus web profiling framework. The exact functionality varied from site to site, but the goal of these frameworks was to gather information about site visitors and, in some cases, deliver malware. This code appears to be a variation of what Volexity has previously described as Framework A.
Read more at Volexity
The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.
