Following in the steps of Microsoft, Google, and other technology companies that have taken action against APT groups, Facebook on Thursday said it has disrupted some of the operations of APT32, an attack group linked to Vietnam that has targeted activists, NGOs, and others for several years.
Facebook said it had been tracking a range of activity by APT32 on its platform, and, for the first time, publicly attributed the group’s activity to a technology company in Vietnam called CyberOne Group.
“The latest activity we investigated and disrupted has the hallmarks of a well-resourced and persistent operation focusing on many targets at once, while obfuscating their origin. We shared our findings including YARA rules and malware signatures with our industry peers so they too can detect and stop this activity. To disrupt this operation, we blocked associated domains from being posted on our platform, removed the group’s accounts and notified people who we believe were targeted by APT32,” Facebook’s Nathaniel Gleicher, head of security policy, and Mike Dvilyanski, cyber threat intelligence manager, said in a post.
APT32 is also known as Ocean Lotus and the group has targeted a variety of people and organizations, including government agencies in Cambodia and Laos. Earlier this year, researchers at FireEye found a campaign by APT32 was targeting agencies in the Chinese government involved in COVID-19 research. The group has used a number of different techniques in its intrusion campaigns, but often relies on watering hole attacks that employ compromised websites. The activity that Facebook tracked involved social engineering, malware, and the use of malicious mobile apps inserted into the Google Play store, along with watering hole attacks that use malicious javascript.
“As part of this, the group built custom malware capable of detecting the type of operating system a target uses (Windows or Mac) before sending a tailored payload that executes the malicious code. Consistent with this group’s past activity, APT32 also used links to file-sharing services where they hosted malicious files for targets to click and download,” Gleicher and Dvilyanski said.
“Most recently, they used shortened links to deliver malware. Finally, the group relied on Dynamic-Link Library (DLL) side-loading attacks in Microsoft Windows applications. They developed malicious files in exe, rar, rtf and iso formats, and delivered benign Word documents containing malicious links in text.”
APT32 has been operating for at least six years and researchers have tracked their activities closely. Although not as prolific as groups from China, Russia, or Iran, APT32 has been consistent in its cyberespionage activities. The campaign targeting COVID-19 research from April is a prime example. In that instance, the group used spear-phishing emails to target specific subjects.
“Spear phishing messages were sent by the actor to China's Ministry of Emergency Management as well as the government of Wuhan province, where COVID-19 was first identified,” the FireEye report from April said.
“APT32 likely used COVID-19-themed malicious attachments against Chinese speaking targets. While we have not uncovered the full execution chain, we uncovered a METALJACK loader displaying a Chinese-Language titled COVID-19 decoy document while launching its payload.”
In addition to disrupting the APT32 activity, Facebook also took action against a group based in Bangladesh that the company said was targeting journalists and activists by using fake and compromised accounts. Facebook attributed the activity to a pair of nonprofits in Bangladesh, the Crime Research and Analysis Foundation and Don’s Team.
“Don’s Team and CRAF collaborated to report people on Facebook for fictitious violations of our Community Standards, including alleged impersonation, intellectual property infringements, nudity and terrorism. They also hacked people’s accounts and Pages, and used some of these compromised accounts for their own operational purposes, including to amplify their content,” Facebook said.
Facebook disabled the accounts and removed the pages associated with the group’s activities.