On November 6, 2017, cyber security company Volexity released a blog post highlighting an espionage campaign targeting ASEAN nations via compromised websites and typosquatting infrastructure. The campaign is believed to be linked to the OceanLotus Group, also known as APT 32, which has carried out targeted attacks against foreign governments, private companies, and journalists and dissidents—potentially on behalf of Vietnam. Because the group used compromised web infrastructure as its avenue of attack, RiskIQ’s global network of web crawlers yielded data that gave greater context around its campaign by shedding light on its scope and scale, including more than 140 compromised parent websites.

This data, which can be found in RiskIQ Community Edition, added several new layers to the investigation below.

Diving Into OceanLotus

Examining the associations between the infrastructure identified by Volexity and RiskIQ’s web crawling data available in RiskIQ Community Edition, we can surface connections that indicate that the campaign has been active since at least February of 2016. Investigating this malicious infrastructure for redirection sequences, links, and dependent requests in RiskIQ’s Host Pair data shows that the malicious domain ad[.]adthis[.]org has a script association to danchimviet[.]info, an online Vietnamese newspaper first seen by RiskIQ on February 1, 2016:

Fig-1 Host Pair data showing connection to a Vietnamese Newspaper

Additionally, another script association between malicious domain api[.]querycore[.]com and the National Rescue Party of Cambodia, one of two major political parties with a platform focused on human rights and democracy, can be firsts seen in our data set on February 5, 2016:

Fig-2 Host Pairs data showing another connection to the National Rescue Party of Cambodia on Feb. 5

Both of these websites match the targeting profile laid out in the Volexity report, i.e., consistent with Vietnam state interests.

Using the RiskIQ PassiveTotal Maltego transforms, we are quickly able to identify more than 140 compromised parent websites redirecting to the malicious infrastructure outlined in the Volexity report. The below Maltego chart visualizes the full extent of this infrastructure:

Fig-3 A visual of the threat infrastructure in Maltego

At the center of this infrastructure is a single domain, health-ray-id.com, which appears to connect all of the current active malicious infrastructure. As you can see by clicking on the Host Pairs tab in RiskIQ Community, these domains are connected to the domain in question via an XMLHttpRequest.

Fig-4 Host Pairs data showing the extent of the connections to “health-ray-id.com”

Looking at the sequence data as observed in RiskIQ’s web crawler, we can see the associations between the compromised website, the above domain, and the additional OceanLotus Infrastructure:

Fig-5 RiskIQ’s crawl shows the connection

In the above sequence, we can see that the compromised site reaches out to malicious URL hxxps://health-ray-id[.]com/robot.txt, which then drops a cookie that appears to imitate a legitimate Cloudflare service header (CF-Ray):

Fig-6 The cookie dropped by the malicious URL

This process is similar to the tactics outlined in the Volexity report in which they noted three other cookie names being used,  “___APISID” , “___APISID2”, and “SAPIS_ID”, but shows a deeper level of detail in the operations, suggesting the actors may be evolving their techniques.

Fig-7 A pivot on a cookie mentioned in the Volexity report

Pivoting on the cookie name cloudflare-ray-uuid, we see that RiskIQ has observed this cookie associated with 274 domains and IP addresses in our cookie database. Filtering out the IP address associations, we find 99 instances where this cookie has been associated with a domain:

Fig-8 Pivoting on the cookie found by RiskIQ

As the Maltego chart below shows, RiskIQ was able to identify 78 unique domains with this cookie association, all connected to the health-ray-id domain.

Fig-9 Domains associated with the cookie

A quick review of the 78 domains associated with this cookie shows a mix of Asia Pacific-based blogs, news organizations, and government websites, which, again, appear to map to the targeting profile laid out by Volexity.

Keeping Afloat Amid OceanLotus

As tension rises in ASEAN, its members often turn to sponsoring cyber attacks that disrupt and spy on their neighbors. At the same time, many of these countries have poor cybersecurity practices and levels of awareness, both in the public and private sectors, that make their government and business organizations extremely susceptible to hacking groups like OceanLotus, which uses automation to launch sophisticated attacks cheaply by rotating and reusing undetected infrastructure.

However, defenders with access to internet data collected by web crawlers can detect unknown threats at the source and track how they change and spread. Correlating threat data extracted from a broad set of data sources across channels reveals the risk posed to an organization by a single piece of infrastructure—and how it’s used within a broader context. As can be seen from the above analysis, RiskIQ’s crawling infrastructure, indexed web data sets, and analyst-focused analysis platform allows organizations to quickly and effectively identify the scale of these strategic compromises and provide visibility that improves an organization’s ability to defend their network.

To understand the full scope of this attack campaign and continue the investigation, check out the PassiveTotal public project.

Interested in crawling specific parts of the Internet with RiskIQ technology? Now you can task our virtual users to work for you at scale. RiskIQ offers URL crawling through our Security Intelligence Services (SIS), so you can capture the same kind of data we used in this post. For more information and a quote, contact us today.