Kabar Medsos – Cybersecurity investigators at Facebook have traced a hacking group long suspected of spying on behalf of the Vietnamese government to an IT company in Ho Chi Minh City.
The announcement on Friday is the first time Facebook has publicly exposed an offensive hacking operation and, if confirmed, would be a rare case of suspected state-backed cyberspies being tracked to a specific organisation.
The hackers, known as OceanLotus or APT32, have been accused for years of spying on political dissidents, businesses and foreign officials. Reuters reported this year that the group had attempted to break into China’s Ministry of Emergency Management and the government of Wuhan as the COVID-19 outbreak first spread.
Facebook said it had found links between cyberattacks previously attributed to OceanLotus and a Vietnamese company called CyberOne Group, which lists an address on a sidestreet in a commercial district of Ho Chi Minh city.
CyberOne Group denied being connected to the hackers.
“We are NOT Ocean Lotus,” a person operating the company’s now-suspended Facebook page. “It’s a mistake.”
Vietnam’s foreign ministry, which handles enquiries from international media, did not immediately respond to a request for comment. The ministry has previously denied connections to OceanLotus attacks.
Facebook said the hackers had used its platforms to carry out a range of cyberattacks, some of which employed fake accounts to trick targets by posing as activists, businesses and possible love interests.
Nathaniel Gleicher, Facebook’s head of cybersecurity policy, said his team had found technical evidence that linked CyberOne’s Facebook page to accounts used in the hacking campaign, as well as to other OceanLotus attacks.
He declined to detail the exact evidence, saying to do so would make the group more difficult to track in the future. But he said it included online infrastructure, malicious code, and other hacking tools and techniques.
“The actors in this space use some very defined techniques and if we are too public about how we observe those, it really does harm our ability to catch more of this,” Gleicher said.
MOVIE THEATRE AND YOGA
Although OceanLotus has not gained the level of notoriety in the West as some suspected Chinese and Russian state-backed hacking operations, it has been prolific in southeast Asia.
Ben Read, a senior manager at U.S. cybersecurity firm FireEye, and Marc-Étienne Léveillé, a researcher at Slovakian software security group ESET, said the hacking activity uncovered by Facebook matched operations attributed to OceanLotus.
Read said OceanLotus had been active since at least 2013 and had “all the hallmarks of a substantial state-backed organisation acting in support of Vietnamese government”.
Facebook said it did not have sufficient evidence to attribute OceanLotus beyond CyberOne Group, which it said has also used the names CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet and Diacauso.
CyberOne reveals little information about itself on its website, saying only that it has around 200 employees providing a range of “essential security technologies”.
A careers page that was removed shortly after Reuters contacted the company advertised positions for people with hacking skills and experience in malware analysis. Recruiters boasted of a generous benefits package, including free meals, a mini movie theatre and after-work yoga.
In Vietnam, Facebook is navigating a standoff with government officials who have threatened to ban it if it does not agree to censorship demands.
April that Facebook had complied with a government request to increase its censorship of “anti-state” posts after its servers in Vietnam were taken offline, slowing traffic there to a crawl.
Facebook Telah Melacak Kelompok Peretas ‘OceanLotus’ ke Perusahaan IT di Vietnam
Pengumuman pada hari Jumat itu adalah pertama kalinya Facebook secara terbuka mengekspos operasi peretasan ofensif dan, jika dikonfirmasi, akan menjadi kasus langka dari dugaan cyberspies yang didukung negara yang dilacak ke organisasi tertentu.
Para peretas, yang dikenal sebagai OceanLotus atau APT32, telah dituduh selama bertahun-tahun memata-matai para pembangkang politik, bisnis, dan pejabat asing. Reuters melaporkan tahun ini bahwa kelompok itu telah berusaha masuk ke Kementerian Manajemen Darurat China dan pemerintah Wuhan ketika wabah COVID-19 pertama kali menyebar.
Facebook mengatakan telah menemukan hubungan antara serangan siber yang sebelumnya dikaitkan dengan OceanLotus dan perusahaan Vietnam bernama CyberOne Group, yang mencantumkan alamat di pinggir jalan di distrik komersial kota Ho Chi Minh.
Grup CyberOne membantah terhubung dengan para peretas.
“Kami BUKAN Ocean Lotus,” kata seseorang yang mengoperasikan halaman Facebook perusahaan yang sekarang ditangguhkan. Itu adalah kesalahan.
Kementerian luar negeri Vietnam, yang menangani pertanyaan dari media internasional, tidak segera menanggapi permintaan komentar. Kementerian sebelumnya membantah koneksi ke serangan OceanLotus.
Facebook mengatakan para peretas telah menggunakan platformnya untuk melakukan berbagai serangan dunia maya, beberapa di antaranya menggunakan akun palsu untuk mengelabui target dengan menyamar sebagai aktivis, bisnis, dan kemungkinan minat cinta.
Nathaniel Gleicher, kepala kebijakan keamanan siber Facebook, mengatakan timnya telah menemukan bukti teknis yang menautkan halaman Facebook CyberOne ke akun yang digunakan dalam kampanye peretasan, serta serangan OceanLotus lainnya.
Dia menolak untuk merinci bukti pastinya, dengan mengatakan hal itu akan membuat grup lebih sulit dilacak di masa depan. Tetapi dia mengatakan itu termasuk infrastruktur online, kode berbahaya, dan alat dan teknik peretasan lainnya.
“Para aktor di ruang ini menggunakan beberapa teknik yang sangat jelas dan jika kita terlalu publik tentang bagaimana kita mengamatinya, itu benar-benar merusak kemampuan kita untuk menangkap lebih banyak dari ini,” kata Gleicher.
TEATER FILM DAN YOGA
Meskipun OceanLotus belum mendapatkan tingkat ketenaran di Barat karena beberapa dugaan operasi peretasan yang didukung negara China dan Rusia, itu telah produktif di Asia Tenggara.
Ben Read, manajer senior di firma keamanan siber AS FireEye, dan Marc-Étienne Léveillé, seorang peneliti di grup keamanan perangkat lunak Slovakia, ESET, mengatakan aktivitas peretasan yang ditemukan oleh Facebook cocok dengan operasi yang dikaitkan dengan OceanLotus.
Read mengatakan OceanLotus telah aktif setidaknya sejak 2013 dan memiliki “semua keunggulan dari organisasi substansial yang didukung negara yang bertindak untuk mendukung pemerintah Vietnam”.
Facebook mengatakan tidak memiliki cukup bukti untuk mengaitkan OceanLotus di luar CyberOne Group, yang dikatakan juga menggunakan nama CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet, dan Diacauso.
CyberOne mengungkapkan sedikit informasi tentang dirinya di situsnya, hanya mengatakan bahwa ia memiliki sekitar 200 karyawan yang menyediakan berbagai “teknologi keamanan penting”.
Di Vietnam, Facebook sedang menghadapi kebuntuan dengan pejabat pemerintah yang mengancam akan melarangnya jika tidak menyetujui tuntutan sensor.
Bulan April bahwa Facebook telah memenuhi permintaan pemerintah untuk meningkatkan sensor posting “anti-negara” setelah servernya di Vietnam dinonaktifkan, memperlambat lalu lintas di sana hingga merangkak.
