APT32 attacks on Chinese government (2020)

From International cyber law: interactive toolkit
Revision as of 14:52, 5 May 2022 by Nukib472 (talk | contribs) (Created page with "{| class="wikitable" ! scope="row"|Date |From at least January to April 2020. |- ! scope="row"|Suspected actor |Hacking group APT32 (also known as OceanLotus or APT-C-00), allegedly working for the Vietnamese government. Vietnam has denied all allegations as groundless. |- ! scope="row"|Victims |Various Chinese public authorities, including China’s Ministry of Emergency Management and the government of Wuhan province. 1 In addition, the operation also allegedly affec...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Date From at least January to April 2020.
Suspected actor Hacking group APT32 (also known as OceanLotus or APT-C-00), allegedly working for the Vietnamese government. Vietnam has denied all allegations as groundless.
Victims Various Chinese public authorities, including China’s Ministry of Emergency Management and the government of Wuhan province. 1 In addition, the operation also allegedly affected Chinese-speaking individuals who were interested in COVID-19.1
Target systems Computers belonging to the Chinese government and affected Chinese-speaking individuals.
Method 1. Sending phishing emails with tracking links. APT32 sent emails with embedded tracking links to China’s Ministry of Emergency Management using the sender address. The embedded link contained the victim’s email address and code to report back to the actors if the email was opened.1

2. Using a decoy document. APT32 likely used COVID-19-themed malicious attachments against Chinese-speaking targets. While the full execution chain has not been uncovered, FireEye uncovered a Metaljack loader displaying a Chinese-language titled COVID-19 decoy document while launching its payload. The shellcode payload collected system information and appended it to URL strings, and if successfully called, it loaded Metaljack into memory.1

Purpose Cyber espionage which was allegedly designed to collect intelligence on the COVID-19 crisis.1
Result It is unclear if the intrusion attempts in China were successful. Confidential COVID-19 related state and government data may have been compromised. Additional trojans and malware infections may also have been installed, allowing data exfiltration in the future.
Aftermath It is unclear whether the APT32 intrusions have usefully contributed to the Vietnamese government’s public health response. In any case, Vietnam has denied all allegations as groundless.
Analysed in Scenario 02: Cyber espionage against government departments

Collected by: Wei Xinyu

Retrieved from "https://cyberlaw.ccdcoe.org/wiki/APT32_attacks_on_Chinese_government_(2020)?oldid=3394"