APT of Interest: Ocean Buffalo

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Ocean Buffalo (aka APT32, OceanLotus, SeaLotus) is a Vietnam-based targeted intrusion adversary. Reportedly, it has been active since 2012. This APT is known to employ custom and off-the-shelf tools as well as a wide range of tactics. Targeted organizations are primarily located in Southeast Asian countries such as China, the Philippines, and Vietnam; however, there has been an increase in targeting against organizations in Western countries as well. Observed activity indicates that this actor’s mission is broad and includes operations focused on Vietnamese internal security issues, foreign intelligence collection, and limited economic espionage.

On April 22, 2020, FireEye reported Ocean Buffalo as carrying out a series of intrusion campaigns against Chinese targets designed to collect intelligence on the COVID-19 crisis. Its reporting indicates between January and April 2020 Ocean Buffalo targeted China’s Ministry of Emergency Management and the Wuhan provincial government with spear phishing attacks. The assessment drawn by FireEye is straightforward - the uncertainties surrounding the COVID-19 crisis and current air of distrust is serving as an incentive for governments to scale their intelligence collection. This trend is likely to continue.

In late April, Ocean Buffalo again made the news when Kaspersky Labs published the details of a long-term campaign they dubbed “PhantomLance." The campaign presents as an espionage campaign targeting Android users in Asia. A spyware unique to this effort is distributed in various applications through online app marketplaces and was even observed in the Google Play official marketplace, as well as third-party stores like APKpure. The campaign was first spotted last year, but Kaspersky determined it has been ongoing since at least 2016.

The various fake applications were accompanied by a developer profile that included GitHub accounts with fake end-user license agreements. The threat actor typically uploaded versions of the fake applications without any malicious payloads or code. Once accepted into the marketplaces, later versions of the application that included malware or loader code were used. The tactic even bypassed the Google Play store filters.

Since this campaign had been ongoing for multiple years with multiple successful iterations bypassing application store filters, the Kaspersky researchers conclude the PhantomLance campaign is evidence of how advanced threat actors are becoming more difficult to pinpoint.