Home Blog APT of Interest: Ocean Buffalo APT of Interest: Ocean Buffalo BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Ocean Buffalo (aka APT32, OceanLotus, SeaLotus) is a Vietnam-based targeted intrusion adversary. Reportedly, it has been active since 2012. This APT is known to employ custom and off-the-shelf tools as well as a wide range of tactics. Targeted organizations are primarily located in Southeast Asian countries such as China, the Philippines, and Vietnam; however, there has been an increase in targeting against organizations in Western countries as well. Observed activity indicates that this actor’s mission is broad and includes operations focused on Vietnamese internal security issues, foreign intelligence collection, and limited economic espionage. On April 22, 2020, FireEye reported Ocean Buffalo as carrying out a series of intrusion campaigns against Chinese targets designed to collect intelligence on the COVID-19 crisis. Its reporting indicates between January and April 2020 Ocean Buffalo targeted China’s Ministry of Emergency Management and the Wuhan provincial government with spear phishing attacks. The assessment drawn by FireEye is straightforward – the uncertainties surrounding the COVID-19 crisis and current air of distrust is serving as an incentive for governments to scale their intelligence collection. This trend is likely to continue. In late April, Ocean Buffalo again made the news when Kaspersky Labs published the details of a long-term campaign they dubbed “PhantomLance.” The campaign presents as an espionage campaign targeting Android users in Asia. A spyware unique to this effort is distributed in various applications through online app marketplaces and was even observed in the Google Play official marketplace, as well as third-party stores like APKpure. The campaign was first spotted last year, but Kaspersky determined it has been ongoing since at least 2016. The various fake applications were accompanied by a developer profile that included GitHub accounts with fake end-user license agreements. The threat actor typically uploaded versions of the fake applications without any malicious payloads or code. Once accepted into the marketplaces, later versions of the application that included malware or loader code were used. The tactic even bypassed the Google Play store filters. Since this campaign had been ongoing for multiple years with multiple successful iterations bypassing application store filters, the Kaspersky researchers conclude the PhantomLance campaign is evidence of how advanced threat actors are becoming more difficult to pinpoint. Share: Facebook Twitter LinkedIn Related reading Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more Why Bluevoyant BlueVoyant Research: Majority of Firms Have Suffered a Direct Cybersecurity Breach Caused by a Third-Party Vendor October 14, 2021 BlueVoyant commissioned its second annual insightful survey: “Global Insights – Managing Cyber Risk Across the Extended Vendor Ecosystem.” Read more
BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Ocean Buffalo (aka APT32, OceanLotus, SeaLotus) is a Vietnam-based targeted intrusion adversary. Reportedly, it has been active since 2012. This APT is known to employ custom and off-the-shelf tools as well as a wide range of tactics. Targeted organizations are primarily located in Southeast Asian countries such as China, the Philippines, and Vietnam; however, there has been an increase in targeting against organizations in Western countries as well. Observed activity indicates that this actor’s mission is broad and includes operations focused on Vietnamese internal security issues, foreign intelligence collection, and limited economic espionage. On April 22, 2020, FireEye reported Ocean Buffalo as carrying out a series of intrusion campaigns against Chinese targets designed to collect intelligence on the COVID-19 crisis. Its reporting indicates between January and April 2020 Ocean Buffalo targeted China’s Ministry of Emergency Management and the Wuhan provincial government with spear phishing attacks. The assessment drawn by FireEye is straightforward – the uncertainties surrounding the COVID-19 crisis and current air of distrust is serving as an incentive for governments to scale their intelligence collection. This trend is likely to continue. In late April, Ocean Buffalo again made the news when Kaspersky Labs published the details of a long-term campaign they dubbed “PhantomLance.” The campaign presents as an espionage campaign targeting Android users in Asia. A spyware unique to this effort is distributed in various applications through online app marketplaces and was even observed in the Google Play official marketplace, as well as third-party stores like APKpure. The campaign was first spotted last year, but Kaspersky determined it has been ongoing since at least 2016. The various fake applications were accompanied by a developer profile that included GitHub accounts with fake end-user license agreements. The threat actor typically uploaded versions of the fake applications without any malicious payloads or code. Once accepted into the marketplaces, later versions of the application that included malware or loader code were used. The tactic even bypassed the Google Play store filters. Since this campaign had been ongoing for multiple years with multiple successful iterations bypassing application store filters, the Kaspersky researchers conclude the PhantomLance campaign is evidence of how advanced threat actors are becoming more difficult to pinpoint. Share: Facebook Twitter LinkedIn Related reading Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more Why Bluevoyant BlueVoyant Research: Majority of Firms Have Suffered a Direct Cybersecurity Breach Caused by a Third-Party Vendor October 14, 2021 BlueVoyant commissioned its second annual insightful survey: “Global Insights – Managing Cyber Risk Across the Extended Vendor Ecosystem.” Read more
Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more
Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more
Why Bluevoyant BlueVoyant Research: Majority of Firms Have Suffered a Direct Cybersecurity Breach Caused by a Third-Party Vendor October 14, 2021 BlueVoyant commissioned its second annual insightful survey: “Global Insights – Managing Cyber Risk Across the Extended Vendor Ecosystem.” Read more
