The threat group has continued to grow since Volexity discovered in 2017 that OceanLotus(APT32) was behind a complex large-scale digital surveillance campaign. In 2019, Volexity gave a speech at the RSA Conference, which provided historical and up-to-date information on vietnam’s various operations that threaten actor OceanLotus. Notably, OceanLotus has set up and operated several activist, news and anti-corruption websites over the years. At first glance, it looks like these are real websites that have been compromised.
These fake sites have compelling legitimacy and allow OceanLotus full control over the tracking and attacks on site visitors. The most popular of these sites even have a corresponding Facebook page with more than 20,000 followers. These sites were shut down or abandoned shortly after the presentation.
But old habits and successful techniques will die. Volexity has discovered that OceanLotus has launched several new attacks through a number of fake websites and Facebook pages set up last year. In addition to targeting targets in Vietnam, Volexity has also identified new targets for OceanLotus’s southeast Asian neighbors.