APT32 attacks on Chinese government (2020): Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
(Created page with "{| class="wikitable" ! scope="row"|Date |From at least January to April 2020. |- ! scope="row"|Suspected actor |Hacking group APT32 (also known as OceanLotus or APT-C-00), allegedly working for the Vietnamese government. Vietnam has denied all allegations as groundless. |- ! scope="row"|Victims |Various Chinese public authorities, including China’s Ministry of Emergency Management and the government of Wuhan province. 1 In addition, the operation also allegedly affec...") |
No edit summary |
||
| Line 1: | Line 1: | ||
{| class="wikitable" |
{| class="wikitable" |
||
! scope="row"|Date |
! scope="row"|Date |
||
|From at least January to April 2020<ref name=":1">Scott Henderson, Gabby Roncone, Sarah Jones, John Hultquist, Ben Read, [https://www.mandiant.com/resources/apt32-targeting-chinese-government-in-covid-19-related-espionage Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage], 22 April 2020, Mandiant.com</ref>. |
|||
|From at least January to April 2020. |
|||
|- |
|- |
||
! scope="row"|Suspected actor |
! scope="row"|Suspected actor |
||
|Hacking group APT32 (also known as OceanLotus or APT-C-00), allegedly working for the Vietnamese government. Vietnam has denied all allegations as groundless. |
|Hacking group APT32 (also known as OceanLotus or APT-C-00), allegedly working for the Vietnamese government.<ref>Carl Thayer,[https://thediplomat.com/2020/05/did-vietnamese-hackers-target-the-chinese-government-to-get-information-on-covid-19/ Did Vietnamese Hackers Target the Chinese Government to Get Information on COVID-19?] , 4 May 2020, the Diplomat.</ref> Vietnam has denied all allegations as groundless.<ref name=":0">Embassy of the Socialist Republic of Vietnam in the United States of America, [https://vietnamembassy-usa.org/news/2020/04/fireeyes-groundless-statement-viet-nam-assisted-apt32-hacker-group FIREEYE'S GROUNDLESS STATEMENT ON VIET NAM ASSISTED THE APT32 HACKER GROUP], 24 April 2020.</ref> |
||
|- |
|- |
||
! scope="row"|Victims |
! scope="row"|Victims |
||
|Various Chinese public authorities, including China’s Ministry of Emergency Management and the government of Wuhan province. |
|Various Chinese public authorities, including China’s Ministry of Emergency Management and the government of Wuhan province. In addition, the operation also allegedly affected Chinese-speaking individuals who were interested in COVID-19.<ref name=":1" /> |
||
|- |
|- |
||
! scope="row"|Target systems |
! scope="row"|Target systems |
||
| Line 13: | Line 13: | ||
|- |
|- |
||
! scope="row"|Method |
! scope="row"|Method |
||
|1. Sending phishing emails with tracking links. APT32 sent emails with embedded tracking links to China’s Ministry of Emergency Management using the sender address. The embedded link contained the victim’s email address and code to report back to the actors if the email was opened.1 |
|1. Sending phishing emails with tracking links. APT32 sent emails with embedded tracking links to China’s Ministry of Emergency Management using the sender address. The embedded link contained the victim’s email address and code to report back to the actors if the email was opened.<ref name=":1" /> |
||
2. Using a decoy document. APT32 likely used COVID-19-themed malicious attachments against Chinese-speaking targets. While the full execution chain has not been uncovered, FireEye uncovered a Metaljack loader displaying a Chinese-language titled COVID-19 decoy document while launching its payload. The shellcode payload collected system information and appended it to URL strings, and if successfully called, it loaded Metaljack into memory.1 |
2. Using a decoy document. APT32 likely used COVID-19-themed malicious attachments against Chinese-speaking targets. While the full execution chain has not been uncovered, FireEye uncovered a Metaljack loader displaying a Chinese-language titled COVID-19 decoy document while launching its payload. The shellcode payload collected system information and appended it to URL strings, and if successfully called, it loaded Metaljack into memory.<ref name=":1" /> |
||
|- |
|- |
||
! scope="row"|Purpose |
! scope="row"|Purpose |
||
|Cyber espionage which was allegedly designed to collect intelligence on the COVID-19 crisis.1 |
|Cyber espionage which was allegedly designed to collect intelligence on the COVID-19 crisis.<ref name=":1" /> |
||
|- |
|- |
||
! scope="row"|Result |
! scope="row"|Result |
||
|It is unclear if the intrusion attempts in China were successful. Confidential COVID-19 related state and government data may have been compromised. Additional trojans and malware infections may also have been installed, allowing data exfiltration in the future. |
|It is unclear if the intrusion attempts in China were successful. Confidential COVID-19 related state and government data may have been compromised.<ref>Jack Stubbs, Raphael Satter, [https://www.reuters.com/article/us-health-coronavirus-cyber-vietnam-idUSKCN2241C8 Vietnam-linked hackers targeted Chinese government over coronavirus response: researchers], 22 April 2020, Reuters.com.</ref> Additional trojans and malware infections may also have been installed, allowing data exfiltration in the future.<ref>CISOMAG, [https://cisomag.eccouncil.org/vietnams-apt32-group-uses-covid-19-to-target-chinese-health-authorities/ Vietnam’s APT32 Group Uses COVID-19 to Target Chinese Health Authorities], 27 April 2020, cisomag.com.</ref> |
||
|- |
|- |
||
! scope="row"|Aftermath |
! scope="row"|Aftermath |
||
|It is unclear whether the APT32 intrusions have usefully contributed to the Vietnamese government’s public health response. In any case, Vietnam has denied all allegations as groundless. |
|It is unclear whether the APT32 intrusions have usefully contributed to the Vietnamese government’s public health response.<ref>Ankit Panda, [https://thediplomat.com/2020/04/offensive-cyber-capabilities-and-public-health-intelligence-vietnam-apt32-and-covid-19/ Offensive Cyber Capabilities and Public Health Intelligence: Vietnam], APT32, and COVID-19, 24 April 2020, The Diplomat.</ref> In any case, Vietnam has denied all allegations as groundless.<ref name=":0" /> |
||
|- |
|- |
||
! scope="row"|Analysed in |
! scope="row"|Analysed in |
||
Latest revision as of 15:06, 5 May 2022
| Date | From at least January to April 2020[1]. |
|---|---|
| Suspected actor | Hacking group APT32 (also known as OceanLotus or APT-C-00), allegedly working for the Vietnamese government.[2] Vietnam has denied all allegations as groundless.[3] |
| Victims | Various Chinese public authorities, including China’s Ministry of Emergency Management and the government of Wuhan province. In addition, the operation also allegedly affected Chinese-speaking individuals who were interested in COVID-19.[1] |
| Target systems | Computers belonging to the Chinese government and affected Chinese-speaking individuals. |
| Method | 1. Sending phishing emails with tracking links. APT32 sent emails with embedded tracking links to China’s Ministry of Emergency Management using the sender address. The embedded link contained the victim’s email address and code to report back to the actors if the email was opened.[1]
2. Using a decoy document. APT32 likely used COVID-19-themed malicious attachments against Chinese-speaking targets. While the full execution chain has not been uncovered, FireEye uncovered a Metaljack loader displaying a Chinese-language titled COVID-19 decoy document while launching its payload. The shellcode payload collected system information and appended it to URL strings, and if successfully called, it loaded Metaljack into memory.[1] |
| Purpose | Cyber espionage which was allegedly designed to collect intelligence on the COVID-19 crisis.[1] |
| Result | It is unclear if the intrusion attempts in China were successful. Confidential COVID-19 related state and government data may have been compromised.[4] Additional trojans and malware infections may also have been installed, allowing data exfiltration in the future.[5] |
| Aftermath | It is unclear whether the APT32 intrusions have usefully contributed to the Vietnamese government’s public health response.[6] In any case, Vietnam has denied all allegations as groundless.[3] |
| Analysed in | Scenario 02: Cyber espionage against government departments |
Collected by: Wei Xinyu
- ↑ 1.0 1.1 1.2 1.3 1.4 Scott Henderson, Gabby Roncone, Sarah Jones, John Hultquist, Ben Read, Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage, 22 April 2020, Mandiant.com
- ↑ Carl Thayer,Did Vietnamese Hackers Target the Chinese Government to Get Information on COVID-19? , 4 May 2020, the Diplomat.
- ↑ 3.0 3.1 Embassy of the Socialist Republic of Vietnam in the United States of America, FIREEYE'S GROUNDLESS STATEMENT ON VIET NAM ASSISTED THE APT32 HACKER GROUP, 24 April 2020.
- ↑ Jack Stubbs, Raphael Satter, Vietnam-linked hackers targeted Chinese government over coronavirus response: researchers, 22 April 2020, Reuters.com.
- ↑ CISOMAG, Vietnam’s APT32 Group Uses COVID-19 to Target Chinese Health Authorities, 27 April 2020, cisomag.com.
- ↑ Ankit Panda, Offensive Cyber Capabilities and Public Health Intelligence: Vietnam, APT32, and COVID-19, 24 April 2020, The Diplomat.