Home Blog APT of Interest: Ocean Buffalo APT of Interest: Ocean Buffalo BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Ocean Buffalo (aka APT32, OceanLotus, SeaLotus) is a Vietnam-based targeted intrusion adversary. Reportedly, it has been active since 2012. This APT is known to employ custom and off-the-shelf tools as well as a wide range of tactics. Targeted organizations are primarily located in Southeast Asian countries such as China, the Philippines, and Vietnam; however, there has been an increase in targeting against organizations in Western countries as well. Observed activity indicates that this actor’s mission is broad and includes operations focused on Vietnamese internal security issues, foreign intelligence collection, and limited economic espionage. On April 22, 2020, FireEye reported Ocean Buffalo as carrying out a series of intrusion campaigns against Chinese targets designed to collect intelligence on the COVID-19 crisis. Its reporting indicates between January and April 2020 Ocean Buffalo targeted China’s Ministry of Emergency Management and the Wuhan provincial government with spear phishing attacks. The assessment drawn by FireEye is straightforward – the uncertainties surrounding the COVID-19 crisis and current air of distrust is serving as an incentive for governments to scale their intelligence collection. This trend is likely to continue. In late April, Ocean Buffalo again made the news when Kaspersky Labs published the details of a long-term campaign they dubbed “PhantomLance.” The campaign presents as an espionage campaign targeting Android users in Asia. A spyware unique to this effort is distributed in various applications through online app marketplaces and was even observed in the Google Play official marketplace, as well as third-party stores like APKpure. The campaign was first spotted last year, but Kaspersky determined it has been ongoing since at least 2016. The various fake applications were accompanied by a developer profile that included GitHub accounts with fake end-user license agreements. The threat actor typically uploaded versions of the fake applications without any malicious payloads or code. Once accepted into the marketplaces, later versions of the application that included malware or loader code were used. The tactic even bypassed the Google Play store filters. Since this campaign had been ongoing for multiple years with multiple successful iterations bypassing application store filters, the Kaspersky researchers conclude the PhantomLance campaign is evidence of how advanced threat actors are becoming more difficult to pinpoint. Share: Facebook Twitter LinkedIn Related reading Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Ocean Buffalo (aka APT32, OceanLotus, SeaLotus) is a Vietnam-based targeted intrusion adversary. Reportedly, it has been active since 2012. This APT is known to employ custom and off-the-shelf tools as well as a wide range of tactics. Targeted organizations are primarily located in Southeast Asian countries such as China, the Philippines, and Vietnam; however, there has been an increase in targeting against organizations in Western countries as well. Observed activity indicates that this actor’s mission is broad and includes operations focused on Vietnamese internal security issues, foreign intelligence collection, and limited economic espionage. On April 22, 2020, FireEye reported Ocean Buffalo as carrying out a series of intrusion campaigns against Chinese targets designed to collect intelligence on the COVID-19 crisis. Its reporting indicates between January and April 2020 Ocean Buffalo targeted China’s Ministry of Emergency Management and the Wuhan provincial government with spear phishing attacks. The assessment drawn by FireEye is straightforward – the uncertainties surrounding the COVID-19 crisis and current air of distrust is serving as an incentive for governments to scale their intelligence collection. This trend is likely to continue. In late April, Ocean Buffalo again made the news when Kaspersky Labs published the details of a long-term campaign they dubbed “PhantomLance.” The campaign presents as an espionage campaign targeting Android users in Asia. A spyware unique to this effort is distributed in various applications through online app marketplaces and was even observed in the Google Play official marketplace, as well as third-party stores like APKpure. The campaign was first spotted last year, but Kaspersky determined it has been ongoing since at least 2016. The various fake applications were accompanied by a developer profile that included GitHub accounts with fake end-user license agreements. The threat actor typically uploaded versions of the fake applications without any malicious payloads or code. Once accepted into the marketplaces, later versions of the application that included malware or loader code were used. The tactic even bypassed the Google Play store filters. Since this campaign had been ongoing for multiple years with multiple successful iterations bypassing application store filters, the Kaspersky researchers conclude the PhantomLance campaign is evidence of how advanced threat actors are becoming more difficult to pinpoint. Share: Facebook Twitter LinkedIn Related reading Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more
Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more
Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
