Vietnamese Hackers Oceanlotus Breach 100 Plus Websites

Vietnamese Hackers Oceanlotus Breach 100 Plus Websites

Over 100 sites were affected by a hacking group, Oceanlotus which managed to compromise the security of these websites. The hackers even managed to hijack the official site of President Rodrigo Duterte. This was confirmed by the security researchers.

Volexity, a cybersecurity company claimed that the complex group known as OceanLotus or APT32 were able to breach websites of various government, human rights, military, state oil exploration and media in order to launch attacks in the future.

The official website of Association Of Southeast Asian Nations (ASEAN) one of the sites that were compromised by the hackers. Many Chinese websites like BD Star, Chinese oil, and China National United Oil Corporation were also affected by this attack. Different ministries in Laos and Cambodia also admitted that they were affected by the breach. The hackers also targeted the official site of the Armed Forces of the Philippines.

The cybersecurity firm Volexity stated that the extent of this attack is unimaginable. Only a Russian Group known as Turla have been previously successful in launching an attack on this scale. Oceanlotus are believed to have successfully operated unnoticed throughout the recent years on several top-notch websites.

The main targets of the hackers were websites having strategic significance, those in particular whose visitors were soft targets. The group managed to breach the sites by inserting harmful Javascript with multiple web shell backdoors in order to maintain consistency.

The hackers then used the javascript for making HTTP and HTTPS calls to the controlled domains by the attacks and loading different Oceanlotus frameworks. These frameworks are designed in such a way that it could track, identify and target the visitors to the breached websites.

The visitors of interest are said to be flagged for specific targeting as they got special javascript which compromised the user’s email accounts and system.

The specific targets received a popup appearing every 24 hours when they accessed any of the affected websites. When clicked, the popup redirected the users to Google initiating OAuth access to OceanLotus google app, which enabled the hacker to access any contact or email. Some websites were also attacked by spearphishing campaign in order to install backdoors on the systems that were being targeted.

The group is also responsible for delivering malware through fake updates on Firefox, Chrome and the Internet Explorer.

Researchers concluded that Oceanlotus have strategically compromised a “staggeringly large number of websites”, majorly belonging to Vietnamese groups and individuals who were critical of government policies. Other affected websites were either state-owned or their affiliates.

Volexity in a statement said, Oceanlotus have enhanced its capability rapidly in the recent years and are one of the most advanced APT groups who are currently operating.

As a result of the group’s recent attack, Volexity believes that Oceanlotus is consistently developing a network of highly organized hackers, specializing in computer network exploitation capability.