New OceanLotus campaign targets over 20 websites run by governments across Southeast Asia

• The new campaign targeted the websites of the Ministry of Defense of Cambodia, several Vietnamese newspapers, and more.
• The hackers have upgraded their attack tactics to hide their malicious activities.

The OceanLotus hacker group has been spotted involved in a new campaign that targeted over 20 websites run by government organizations across Southeast Asia. The hacker group targeted the websites of the Cambodian defense ministry, the foreign affairs ministry as well as several local newspapers.

According to security researchers at ESET, who discovered the new campaign, OceanLotus have upgraded their attack tactics to hide their malicious activities. Two months after the first wave of compromises began, several of the websites continue to remain infected.

OceanLotus, which is believed to have ties to the Vietnamese government, is believed to have been active since at least 2012. The group primarily targets foreign governments and dissidents.

“Among the various improvements, they started using public key cryptography to exchange an AES session key, used to encrypt further communications, thus preventing security products from intercepting the final payload. They also switched from HTTP to WebSocket to hide their malicious communications,” ESET researchers said in a blog.

In previous campaigns, OceanLotus has conducted watering hole attacks, which involve the hackers specifically compromising websites that their targets often visit. However, in this campaign, the cyberespionage group managed to compromise websites that attract a large number of visitors in general.

“In order to be as stealthy as possible, the OceanLotus operators registered one first stage and one second stage domain per compromised website,” the researchers added. “Each domain is hosted on a separate server with a distinct IP address. They registered at least 50 domains and 50 servers for this campaign.”

ESET researchers said that despite the fact that OceanLotus has been closely monitored by many security researchers, the group continues to attack targets in Southeast Asia, enhancing their tools and malware.

“The recent updates to their watering hole framework show a level of sophistication never before seen for OceanLotus. This is yet another reminder that this APT group should be closely tracked,” ESET researchers said.