The cyber world is ridden with hackers and hacking groups. Those among them that are the most advanced, menacing and uncontrollable are given the title APT, which stands for Advanced Persistent Threat. Such is the subject of today's article – APT32, also known as OceanLotus. This notorious hacking group originates from Vietnam, and its main targets are located in other South East Asian countries usually. It is believed that they have been active since 2012 and may have ties to the Vietnamese government. It is likely that Vietnamese officials have a hand in the OceanLotus's operations because the evidence would suggest that their campaigns' goals often seem to be chasing political ends. Cybersecurity experts have arrived at this conclusion by just looking at the OceanLotus's victims – dissidents, journalists, foreign governments, human rights organizations, foreign companies that are getting involved in Vietnamese industries, etc.
One of the tools in the OceanLotus's mighty arsenal is SOUNDBITE. This threat has been detected in at least two large campaigns in 2016. One was carried out against a company in the Consumer products located in the Philippines. This campaign also included several other tools that APT32 are in possession of – BEACON, WINDSHIELD and KOMPROGO. In the same year, another attack by OceanLotus was identified, this time in the United States. The corporation targeted was in the same field like the one in the Philippines and the hacking tools employed were the same, but instead of KOMPOROGO, the Vietnamese hackers used PHOREAL. These tools are known as signature malware payloads of OceanLotus. It is being speculated that APT32 could be in possession of backdoors, which could infiltrate machines running macOS too.
The attackers prefer the DNS protocol to communicate with the Command & Control server, instead of relying on the typical HTTP and FTTP communication channels. SOUNDBITE is capable of uploading files to the compromised system and executing them remotely. This backdoor also can enable the attackers to run PowerShell commands on the infiltrated computer. Among SOUNDBITE's other capabilities its receiving information about the directories, files, and program windows on the victim's computer currently. It also can modify the Windows Registry.
APT32 pack an impressive assortment of hacking tools, and it would seem that whoever is funding them is making sure they can compete with top-tier APTs such as the Russian Turla APT and the North Korean Lazarus APT. Both are believed to be backed by their governments, and it would seem that the never-ceasing competition between nation states also is carried out in the world of cyber warfare too. The rising number of hacking groups with government links emphasize the importance of practicing the latest cybersecurity policies.