May 17, 2017
Hackers 'Aligned' With Vietnam Government Targeting Foreign Businesses: FireEye

Hacking groups "aligned" with the Vietnamese government are attacking organizations based in foreign countries, a report today has revealed. American cybersecurity firm FireEye said the espionage campaign is founded on a unique suite of "fully-featured" malware tools.

The activity commenced several years ago when hackers began to target international companies with a presence in Vietnam's markets. FireEye stumbled across the large-scale campaign while investigating cyber intrusions at several of the businesses involved. After finding significant "attacker-controlled infrastructure" that pointed to a sophisticated and tightly controlled attack, the company broadened its investigation in March 2017.

FireEye has now ascertained that intrusions have been made into the networks of governments, high-profile individuals and a range of private sector companies. The information being sought consistently suggests there is a link between the hacking groups and the Vietnamese government.

Companies targeted by the campaign, known as "APT32," include a German industrial manufacturing business and a US consumer products firm. This kind of intrusion has been observed before from groups based in China and Russia. APT32 differs from previous efforts as it focuses on monitoring how targets adhere to Vietnam's internal regulations. In contrast, Chinese circles are often looking to steal intellectual property while Russian circles tend to be politically motivated.

APT32's unique focus implies that Vietnam's government is trying to retain a strong hold on both the industrial and consumer product markets in the nation. Although FireEye is avoiding direct confirmation of the link's existence, Vietnam seems to be gauging how international companies comply with its rules by spying on them over the Internet.

A person looks at a computer screen with code in the background and a password entry window on top
[Image by g-stockstudio/Thinkstock]

"It appears APT32 was conducting intrusions to investigate the victims' operations and assess their adherence to regulations," Nick Carr, a senior manager at FireEye's Mandiant incident response team, commented to CNBC. "That's where it starts to be really unusual and is a significant departure from the wide-scale intellectual property theft and espionage that you see from a Chinese group, or political espionage or information operations from a Russian group."

The malware used in the attacks is described as possessing "nation-grade" capabilities. In its current form, APT32 relies on disguised ActiveMime files to infect target machines. The files appear to be innocuous Microsoft Office documents but actually contain malicious macros.

Using social engineering methods based on phishing approaches, the campaign perpetrators convince targets to open one of the files. It's actually a web page that displays in the browser. Through a combination of fake error messages and claims of "missing fonts," the attackers next mislead the user into enabling the macro code, giving them an entry point to the rest of the system.

Through a complex chain of events, APT32 embeds itself deep into Windows, creates scheduled tasks to ensure it launches on start-up and establishes communications with its creator. The real payload of the attack is then delivered, installing the espionage capabilities and commencing data collection.

A red padlock icon on a background of text in the context of computer code
[Image by BeeBright/Thinkstock]

When it's fully configured, APT32 comes with a malware suite that lets the attackers view hardware information, create, edit, upload and delete files, remotely execute code, stop running processes and manipulate essential components deep within the Windows operating system. In total, four distinct backdoors are added to the computer.

The exact relationship between the attackers and the Vietnamese government remains unclear. Although the connection is still surrounded by questions, FireEye said to CNBC that the information harvested by APT32 would have "very little use" to any other actor.

The location of the hackers hasn't been ascertained. It's unlikely more information about the perpetrators will be determined. Notably, FireEye has been unable to confirm whether the group is working for the Vietnamese government or on its behalf. In either case, the implications are still serious.

The Vietnamese government has denied the contents of FireEye's report, telling Reuters that it "condemns" cyber attacks against organizations and individuals. It said it would "closely cooperate" with the international cyber security community to help prevent and respond to future malware campaigns.

The report comes in the wake of the last week's global cyber attacks led by the WannaCry ransomware. Although WannaCry isn't related to APT32, it has targeted computers in over 100 countries, making its distribution one of the most widespread ever observed. Seen as a wake-up call by organizations and governments worldwide, it has triggered a rise in security spending which has benefitted security companies including FireEye.

[Featured Image by scyther5/Thinkstock]