Chinese hackers hacking Vietnam’s government network amidst increasing tensions in the South China Sea

The latest research by the leading US cybersecurity firm said that the alleged China-backed hackers could be behind a campaign to collect data from Vietnamese government officials amid increasing tensions between the two countries in the disputed East Sea (South China Sea).

According to research by the company providing information on intelligence threats, Anomali, a hacker group called Pirate Panda is trying to trick Vietnamese officials into opening malicious Microsoft Excel documents attached in the email about the holidays.

Hacker’s activity is to find loopholes to gain access to intranet systems and personal computers to steal information or sabotage software platforms

The location-targeted by the hackers were officials in Da Nang, the Vietnamese province assigned by the Vietnamese government to administrate the Hoang Sa (Paracels), which has been considered a “hot spot” that has caused recent tensions between Vietnam and China because of Chinese activities to assert its sovereignty over the archipelago.

Pirate Panda is a group of hackers specializing in performing targeted attacks (APT) backed by the Chinese state. The group is famous for cyber attacks targeting governments and political organizations.

Pirate Panda is also a group of hackers focused on attacking and exploiting data around the issue of territorial sovereignty in the South China Sea.

In this case, Pirate Panda uses an email bait with the subject of the itinerary for two Vietnamese holidays, April 30 and May 1. The documents in the malicious Microsoft Excel File are attached in potentially corrupted mail. The ability to infect victims is a malware similar to KeyBoy and ExileRat, which will then steal files and collect system information from the victim’s computer. The Pirate Panda team has used both of these tools in the past.

In recent days, Vietnam has publicly protested China’s new activities and has not recognized Beijing’s claims to the islands and rocks in the Paracels, while China said that Vietnam’s claims to this area are illegal.

Chinese hackers regularly launch cyber-espionage campaigns targeting targets related to their territorial conflicts. In 2018, Chinese hackers attacked U.S. defense and engineering companies, which have access to sensitive information related to the South China Sea dispute. This information is considered very useful for Beijing.

Neither Vietnam nor China have responded to the information about this latest cyberattack.

Meanwhile, another US cybersecurity firm, FireEye, published a report last week that a group of hackers, allegedly backed by the Vietnamese government, launched an attack on Chinese government website to search for information regarding Beijing’s treatment of the Covid-19 pandemic.

FireEye is a cybersecurity company that provides products and services to protect against online threats. It was established in 2004.

Have Vietnamese hackers targeted the Chinese government to get information about Covid-19? is the title of an article by Professor Carl Thayer, who is an Honorary Professor and a visiting member of the School of Humanities and Social Sciences, University of New South Wales at the Australian Defense Academy in Canberra.

On April 22, FireEye reported that at least from January to April 2020, suspects in Vietnam’s APT32 hacker group carried out offensive campaigns. to gather information about China’s Covid-19 development and treatment. The targets were the Chinese Ministry of Emergency Management and the city government of Wuhan, the disease epicenter.

A day later, speaking at a regular press conference, Vietnamese Deputy Foreign Ministry spokesman Ngo Toan Thang said the allegation was groundless. “Vietnam strictly prohibits cyber attacks against organizations and individuals in any form,” he said.

This article explores the historical development of the APT32 hacker group and the allegations that this group is involved with the Vietnamese government. In it, APT stands for Advanced Persistent Threat, ie the threat of continuous improvement.

APT32 was first identified in 2012 when this group of hackers initiated cyber attacks into China and then expanded to targets in Vietnam and the Philippines. APT32 is also known as OceanLotus, APT-C-00, SeaLotus and OceanBuffalo.

A cybersecurity specialist sketching a diagram depicting the process of creating traps and attacks by the APT32 Hacker group, also known as OceanLotus Group, has been operating since at least 2013, according to experts, this is a state-sponsored hacker group, according to FireEye

In 2016, Cybereason, the cyber-espionage company, discovered that the company had been hacked for a year, the links of those attacks led to APT32. The APT32 hackers targeted intellectual property, confidential business information and details of Cybereason projects. When Cybereason switched to blocking APT32, the hacker group proved to be a flexible opponent that quickly used its own tools to re-enter the Cybereason system.

Also in 2016, an incident-response analyst at FireEye with experience handling about twelve APT32 network hacks concluded that APT32’s attack purpose appeared to serve the Vietnamese state interests. FireEye analyst concluded that APT32 can carry out multiple campaigns simultaneously and has the resources and ability to carry out large-scale cyber attacks, especially data monitoring and testing. In a report published in May 2017, FireEye assessed that APT32 is a cyber espionage group involved in the interests of the Hanoi government.

Nick Carr, director of FireEye, who has been following APT32 since 2012, revealed that an investigation conducted in 2017 on attacks in Asia, Germany and the US found that the group spent at least for three years to target foreign corporations with interests in Vietnam in the field of manufacturing, consumer products and hotels.

In 2018, there were reports that OceanLotus / APT32, had been involved in industrial espionage for the past two years targeting carmakers BMW, Toyota and Hyundai. Media outlets quoted network analysts as saying network hacks appeared to support Vietnam’s production goals.

Vietnamese Prime Minister Nguyen Xuan Phuc speaking at the announcement of the establishment of the Department of Cybersecurity under Vietnam’s Ministry of Defense, January 8, 2018

In addition, Volexity, a cybersecurity company, reported in 2019 that APT32 launched an extremely sophisticated and extremely extensive mass surveillance campaign aimed at the independent journalists, human rights and civil society groups as well as the Association of Southeast Asian Nations.

Cyber ​​security firm CrowdStrike noted in late 2019 that the outbreak of Vietnam’s espionage, APT 32, began in 2012 and has increased since 2018, supposedly tied to Vietnam’s Government.

What are the factors that can motivate the Vietnamese government to assign APT32 to attack China’s government agencies and Wuhan city government to find information about the Covid-19?

Media reported that the US National Center for Medical Intelligence (NCMI) based on an analysis of telegraphs and data from computers as well as satellite images, concluded that an infectious disease spread through Wuhan and surrounding areas are at risk of affecting people’s health. The NCMI issued a confidential report in late November 2019 warning that an out-of-control disease poses a serious threat to U.S. forces in Asia. The NCMI briefed the matter to the Defense Intelligence Agency, the Pentagon General Staff Department, and the White House.

There is no clear reason why the Hanoi government could not detect this contagious disease in November 12, 2019, through human intelligence and the information from Chinese media and social networks.

If discovered, Vietnam’s first reaction would be to try and determine how deadly the Covid-19 is. Also learn as much as possible about the new disease and its potential impact on Vietnam. Vietnamese diplomats in China should be tasked with obtaining this information from their Chinese counterparts.

Due to China’s lack of transparency on the spread of Covid-19 until January, it is likely that Beijing officials have failed to respond to requests for information from their Hanoi colleagues. China’s lack of transparency will lead Vietnamese leaders to issue instructions, or task Hanoi’s various intelligence agencies and officials in China with priority to collect all source information about the pandemic. This will include open sources such as the internet, Weibo – a Chinese Facebook form, blog sites and electronic publications.

Vietnam may have gained access to intelligence obtained from friendly intelligence services through regular communication and exchange. Vietnam may have requested to provide information, share information or be provided with information. At a minimum, contact discussions may have revealed general concern about Covid-19.

In addition, Vietnam can also obtain information from human resources intelligence sources. These include sources of Chinese government officials, security services, health workers, research scientists and ordinary citizens in China and especially in Wuhan. Human resources sources also include Vietnamese and foreign residents in China, especially in Wuhan, such as businessmen, students and tourists.

In short, both human and signal sources are likely to confirm the first rumors about the occurrence and spread of the Covid-19 to Vietnamese intelligence collectors.

A FireEye report alleges that Vietnam’s first cyber-infiltration to collect information about Covod-19 was initiated to attack the Chinese Ministry of Emergency Management and the Wuhan city government on Jan 6 and continue throughout the first quarter of this year.

China’s lack of transparency may be an important motivating factor behind this decision.

Public evidence that APT32 is affiliated with the Vietnamese government is based on long-term oversight of the practices of professional cybersecurity companies.

APT32 acts against Vietnamese and foreign dissidents and targets foreign commercial businesses, suggesting that the hacker group may be affiliated with the Ministry of Public Security.

In 2017, the Ministry of Defense established the Cyber ​​War Command. It is possible that the APT32 hacker group is placed under the new Cyber ​​Command.

Vietnam’s most recent defense white paper released at the end of 2019 states “Vietnam is ready to use all measures in accordance with international law to prevent cyber-attacks to protect its own national rights and interests in cyberspace.”

It is hard to imagine that the Cyber ​​War Command did not develop some counter-attack capabilities that could allow attacks on Chinese government computers in the event of a mandatory situation.

However, it makes sense that APT32 is a unit of the Ministry of Information and Communications, or another ministry, or an independent unit that reports directly to the top leaders of the Vietnamese party and state.

With the new and very hot developments in the South China Sea, this is the time to start a war that Vietnam and China can immediately do, it is trying to attack each other’s networks, paralyzing all activities of the enemy before shooting in the field.

Hoang Lan from Hanoi – Thoibao.de (Translated)