Facebook has suspended several accounts related to APT32 cyber espionage, which have abused the platform to spread malware.
The APT organization APT32 , also known as OceanLotus and APT-C-00, which has ties to Vietnam , carried out cyber espionage activities against Chinese entities to gather intelligence about the COVID-19 crisis.
The APT32 group has been active since 2012, and its target groups are organizations from multiple industries and foreign governments, dissidents and journalists.
Since at least 2014, FireEye experts have observed the APT32 group, which is aimed at foreign companies interested in Vietnam’s manufacturing, consumer goods and hospitality industries. APT32 also targets peripheral network security and technology infrastructure companies and security companies that may have ties to foreign investors.
“APT32 is a high-level persistent threat actor based in Vietnam, targeting local and foreign Vietnamese human rights activists, foreign governments in Laos and Cambodia, non-governmental organizations, news organizations, and many companies involved in information technology, hotels, and agriculture. Malware products, hospitals, retail, automotive industry and mobile services.” said Nathaniel Gleicher, head of security strategy Facebook and Mike Dvilyanski, cyber threat intelligence manager. “Our investigation links this activity to the CyberOne Group (also known as CyberOne Security, CyberOne Technology, Hanting Co., Ltd., Planet and Diacauso), an IT company in Vietnam.
APT32 created and operated a network of Facebook accounts and pages related to dummies masquerading as human rights defenders or commercial entities.
The activities carefully planned by APT32 are aimed at human rights activists in Vietnam and abroad, foreign governments in Laos and Cambodia, non-governmental organizations, news agencies and information technology, hotels, agriculture and commodities, hospitals, retail, automobile industry and mobile services.
Threat actors use romantic bait to contact interested people. They set up a page dedicated to followers of malware and phishing attacks.
The hackers also shared links to malicious Android applications, which have been uploaded to the official Google Play store.
APT32 also carried out watering hole attacks through infected websites or its own website. Cyber espionage organizations use custom malware, which is designed to compromise the target computer with a customized payload.
The social networking giant also shares information about the network group with industry partners, including YARA rules and malware signatures, so that they can detect and block this activity. The company also blocked the domain used by the organization.