LONDON/HANOI (Reuters) – Cybersecurity investigators at Facebook have traced a hacking group long suspected of spying on behalf of the Vietnamese government to an IT company in Ho Chi Minh City.
The announcement on Friday is the first time Facebook has publicly exposed an offensive hacking operation and, if confirmed, would be a rare case of suspected state-backed cyberspies being tracked to a specific organisation.
The hackers, known as OceanLotus or APT32, have been accused for years of spying on political dissidents, businesses and foreign officials. Reuters reported this year that the group had attempted to break into China’s Ministry of Emergency Management and the government of Wuhan as the COVID-19 outbreak first spread.
Facebook said it had found links between cyberattacks previously attributed to OceanLotus and a Vietnamese company called CyberOne Group, which lists an address on a sidestreet in a commercial district of Ho Chi Minh city.
CyberOne Group denied being connected to the hackers.
“We are NOT Ocean Lotus,” a person operating the company’s now-suspended Facebook page said when contacted by Reuters. “It’s a mistake.”
Vietnam’s foreign ministry, which handles enquiries from international media, did not immediately respond to a request for comment. The ministry has previously denied connections to OceanLotus attacks.
Facebook said the hackers had used its platforms to carry out a range of cyberattacks, some of which employed fake accounts to trick targets by posing as activists, businesses and possible love interests.
Nathaniel Gleicher, Facebook’s head of cybersecurity policy, said his team had found technical evidence that linked CyberOne’s Facebook page to accounts used in the hacking campaign, as well as to other OceanLotus attacks.
He declined to detail the exact evidence, saying to do so would make the group more difficult to track in the future. But he said it included online infrastructure, malicious code, and other hacking tools and techniques.
“The actors in this space use some very defined techniques and if we are too public about how we observe those, it really does harm our ability to catch more of this,” Gleicher said.
