Thayer Consultancy Background Brief:

ABN # 65 648 097 123

OceanLotus Group Implicated in
Malware Attacks on Cambodian
Government Targets
Carlyle A. Thayer
November 26, 2020

We are preparing a report about Vietnamese hackers hitting the Cambodian

government: https://www.recordedfuture.com/apt32-malware-campaign/. It seems
to be a similar method and group involved in Vietnamese hacking of the Chinese
government in April. We request your assessment of the following issues:
Q1. How common or believable is it that the Vietnamese government would sponsor
the hacking of a foreign government — in this case the Cambodian government?
ANSWER: There have been persistent reports by reputable cyber security firms that
APT32 began targeting government ministries and agencies in Cambodia, Laos and the
Philippines as well as the Association of Southeast Asian Nations (ASEAN) Secretariat
as early as 2017. Reports this year that APT32 targeted Cambodian government and
its agencies are entirely plausible.
APT32 or OceanLotus Group, was established in 2012. APT32’s hacking activities have
grown in scope and intensity since then. APT32 focused first on Chinese entities before
expanding to commercial targets in Vietnam, the Philippines, Germany and the United
States. Automobile manufacturers BMW, Toyota and Huyndai reportedly were
targeted. In 2019, APT32 was implicated in mass digital surveillance and attacks that
targeted the media, human rights and civil society groups as well as ASEAN.
Analysis of APT32’s tactics, techniques and procedures led cyber analysts to conclude
that APT32 sought information that would be valuable to the Vietnamese government
and was likely connected to the Vietnamese government. In May 2017, for example,
FireEye assessed “that APT32 is a cyber espionage group aligned with Vietnamese
government interests.”
Q2. What reason could they have for doing this?
ANSWER: Three reasons come to mind – because they can; to test their tactics,
techniques, and procedures against Cambodia’s cyber security defences; and to gain
access to classified information in areas of priority intelligence collection to the
Vietnamese government, such as Cambodia-China relations.
Q3. Do you put much weight on the Vietnamese government denying (in April) that
they were behind the hacks?
 2

ANSWER: No. Enough evidence has accumulated over the past eight years that the
APT32 is located in Vietnam and is most likely affiliated with a government ministry or
department. The Ministry of National Defence established its Cyber Command in
2017. The Ministry of Public Security has developed formidable cyber capabilities as
well.
Q4. Is there anything else you think is worth noting about this case?
ANSWER: We know that Vietnam government ministries and other agencies have
suffered from state and non-state actor cyberattacks in the past. We also know that
there has been a spike of cyberattacks in Southeast Asia during the COVID-19
pandemic. These incidents may have led Vietnam to take retaliatory action.
However, according to Recorded Future’s Pulse Report, “[the] Insikt Group has
discovered a new malware campaign targeting the Cambodian government” and
identified “several Cambodian victim organisations communicating with this
infrastructure [APT32 or OceanLotus]...” This would rule out the hypothesis that
Vietnam was retaliating against hackers based in Cambodia.

Suggested citation: Carlyle A. Thayer, “OceanLotus Group Implicated in Malware

Attacks on Cambodian Government Targets,” Thayer Consultancy Background Brief,
November 26, 2020. All background briefs are posted on Scribd.com (search for
Thayer). To remove yourself from the mailing list type, UNSUBSCRIBE in the Subject
heading and hit the Reply key.

Thayer Consultancy provides political analysis of current regional security issues and
other research support to selected clients. Thayer Consultancy was officially
registered as a small business in Australia in 2002.