Human-rights activists are being targeted by cyberattacks as part of a wider effort by the Vietnamese state to censor anyone speaking out against the government, Amnesty International’s Security Lab alleges.
Ocean Lotus, a well-known threat actor dating back to 2013, is behind the spyware campaign against human-rights defenders and has long been identified as having goals “aligned with the Vietnamese state interests,” according to Amnesty International’s report on the situation.
Spyware is just the latest tool turned against dissenting bloggers and activists by the Vietnamese government, an arsenal which also includes harassment, assault, travel bans and jail, the report explained.
Vietnam’s Digital Censorship
A cybersecurity law passed in 2019 gave the government in Hanoi sweeping control over who has access to the internet, according to Amnesty International. But those human-rights defenders (HRDs) who remain online have emerged as targets for Ocean Lotus attacks, the report added.
The first spyware attacks against government dissidents began in Feb. 2018, according to Amnesty International’s investigation.
The targets have included pro-democracy activist Bui Thanh Hieu, now living in Germany; the Vietnamese Overseas Initiative for Conscience Empowerment (VOICE) (a non-profit supporting Vietnamese refugees and human rights); and an unidentified blogger inside Vietnam who is a critic of the government. All of them received emails with spyware either as an attachment or link, researchers said..
The Security Lab team identified spyware for both macOS and Windows operating systems.
“The Windows spyware was a variant of a malware family called Kerrdown, and used exclusively by the Ocean Lotus group,” the report explained. “Kerrdown is a downloader that installs additional spyware from a server on the victim’s system and opens a decoy document.”
The link downloaded the Cobalt Strike penetration testing toolkit, giving the attackers control over the targeted system and arming them to spread laterally.
The macOS version of Cobalt Strike is a bespoke version of malware used only by Ocean Lotus, the report added.
Amnesty International suggests anyone who might be a target of this type of malware attack should pay close attention to links, enable two-factor authentication (2FA), use antivirus software and running software updates.
Cyberattacks Against Human Rights Defenders
This latest report is just another instance in a long list of state-aligned campaigns organized against human-rights defenders and civil society.
This week, Tibetan communities were targeted by a customized malicious Firefox extension to provide access and control to threat actors working with the Chinese Communist Party, according to researchers at Proofpoint.
And last summer, Android spyware called ActionSpy, was sent to victims across Tibet, Turkey and Taiwan in an effort to collect data on minority Uyghur populations, victims of Chinese-state-sponsored human rights abuses.
Other malware including Android surveillance tools called SilkBean, GoldenEagle, CarbonSteal and Double-Agent were also deployed by Chinese government aligned actors in July as part of the ongoing surveillance campaign of Uyghur Muslims, dating back to 2013.
The security industry, along with Amnesty International and other groups like the Electronic Frontier Foundation, continue to raise the alarm about the real-world, life-and-death consequences of cybersecurity when tools are turned against the globe’s most vulnerable populations.
“When we talk about security, we have to ask, ‘security for who?'” EFF’s Eva Galperin explained at a 2019 Black Hat session called “Hacking for the Greater Good: Empowering Technologists to Strengthen Digital Society.” “It’s usually for governments or corporations. We don’t talk about security for individuals, particularly individuals who don’t have a lot of spending money.”