Facebook turns vigilante, doxes APT32 linking Vietnam’s primary hacking group to local IT firm

Facebook’s security team announced on Thursday that it believes the APT32,one of the most active state-sponsored hacking groups, has been linked to the Vietnamese government. 

The company reportedly took this step after suspecting that the APT32 was using its platform to spread malware in attempts to infect users.

 

“Our investigation linked this activity to CyberOne Group [archived website, archived Facebook page], an IT company in Vietnam (also known as CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet and Diacauso),” said Nathaniel Gleicher, Head of Security Policy at Facebook, and Mike Dvilyanski, Cyber Threat Intelligence Manager.

 

According to the investigation, ATP32 had been operating on facebook through fake personal accounts and pages, usually posing as activists or business entities. These groups would then often share links with their targets that would either lead to phishing attacks or malware. The group has managed to even include links to android apps on the playstore that they then use to spy on their targets. 

 

The targeted entities according to Facebook are as follows: 

1. Vietnamese human rights activists locally and abroad
2. Foreign governments, including those in Laos and Cambodia
3. Non-governmental organizations
4. News agencies
5. and, businesses across information technology, hospitality, agriculture and commodities, hospitals, retail, the auto industry, and mobile services

Especially worrying is the targeting of human rights activists. Facebook has taken down the group’s accounts and pages and blocked the group’s domains preventing them from reusing it again. They have also shared YARA rules and malware signatures, so other social networks and security firms can also take action and protect their users.

The ATP32 is believed to have been operating since 2014, dubbed sometimes as the OceanLotus. In addition to targeting their attacks on political dissidents and activists, they have been also targeting private businesses that might be of particular interest to the Vietnamese government. During a time when the DOJ is stepping on Facebook and it’s Section 230 privileges, the doxing move by Facebook might either be praised or seen as overstepped.