APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based.
Name: APT32 (Mandiant), OceanLotus (SkyEye Labs), SeaLotus (?), APT-C-00 (Qihoo 360), Ocean Buffalo (CrowdStrike), Tin Woodlawn (SecureWorks), ATK 17 (Thales), SectorF01 (ThreatRecon)
Location: Vietnam
Suspected attribution: State-sponsored
Date of initial activity:
Targets: Multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
Motivation: Espionage – Surveillance
Associated tools: Cobalt Strike, Denis, Goopy, JEShell, KerrDown, Mimikatz, Ratsnif, Remy, Rizzo, RolandRAT
Attack vectors: They have extensively used strategic web compromises to compromise victims.
How they work: TIN WOODLAWN is a targeted threat group, active since at least 2014, that CTU researchers assess with moderate confidence is operated or tasked by the Vietnamese government. It has targeted automotive manufacturers, media, non-governmental organizations, dissidents or social groups of interest to the Vietnamese government in Vietnam or overseas, and regional governance groups and national governments neighboring Vietnam.
TIN WOODLAWN is technically capable and uses a range of techniques including template injection, obfuscated macros and steganography for malware delivery, memory-resident malware, use of native command line scripts for Cobalt Strike persistence, and non-standard command and control channels such as DNS and ICMP.