The inner workings of a proliferate cyberespionage group known as the OceanLotus Group or APT 32, known to target major private firms and international governments, has been laid bare by security experts.
OceanLotus Group attempted to steal proprietary data from an unspecified major Asian firm, but was caught in the act by security researchers, who then tracked and studied the group's entire attack life-cycle to understand how such an advanced hacking unit works "under the hood".
Security researchers uncovered the OceanLotus Group targeting the top management of the Asian firm in a campaign titled "Operation Cobalt Kitty." The group hacked into 40 computers and servers belonging to the company over the course of a year, before the attacks were detected. Researchers noted that the hacker group was highly adaptive and continued to update its attack to avoid security detection.
"The threat actor targeted the company's top-level management by using sophisticated spear-phishing attacks as the initial penetration vector, ultimately compromising the computers of vice presidents, senior directors and other key personnel in the operational departments," Cybereason researchers said in a report.
OceanLotus Group used customised tools in attack
To conduct the attacks, the hackers used a combination of publicly available hacking tools (which they modified to fit their attack strategy), as well as 6 "undocumented custom-built tools," which according to Cybereason researchers are the group's "signature tools.
"Among these tools are two backdoors that leveraged DLL hijacking attacks against legitimate Microsoft, Google and Kaspersky applications. In addition, they developed a novel and stealthy backdoor that targets Microsoft Outlook for command-and-control channel and data exfiltration," researchers said.
"The scale of this [attack] was quite alarming. This is not a mom and pop operation," Cybereason's director of advanced security Assaf Dahan told Wired. "We could have kept it in the dark, we tried to protect our customers' anonymity so we could have not published at all. But we felt that once we go public with it more security companies and maybe government agencies will notice it and help put a stop to this group."
Who are the OceanLotus Group?
Although not much is currently known about the hacker group, its origins and whether or not it is affiliated to any international government, the advanced attack techniques indicate that the group has been active for a while.
According to a report by Wired, the OceanLotus Group has been active since 2012, and has predominantly targeted Asian organisations across China, Vietnam and Philippines.
Despite the fact that many aspects about the hacker group still remain a mystery, one thing is clear – the OceanLotus Group is a very advanced player in cyberspace. The threat actors' ability to simultaneously engage in several ongoing campaigns and seamlessly adapt itself to evade antivirus detection is also reflective of the hacker group's abilities.