On 24 February 2021 a new Amnesty International investigation has identified a campaign of spyware attacks targeting Vietnamese human rights defenders (HRDs) from February 2018 to November 2020. Amnesty International’s Security Lab attributes these attacks to an attack group known as Ocean Lotus. The group has been active since at least 2014, targeting the private sector and HRDs. The spyware attacks investigated and identified by the Security Lab are the latest evidence of a crackdown on freedom of expression in Viet Nam and against Vietnamese activists outside the country.

Viet Nam’s history of Online Repression: Human rights are increasingly under attack both offline and online in Viet Nam. Over the past 15 years, repression linked to online activity has intensified, leading to a wave of harassment, intimidation, physical assault, and prosecution. Amnesty International has documented multiple cases of the arrest and prosecution of HRDs in Viet Nam in retaliation for their online expression since 2006. That year, former prisoner of conscience Truong Quoc Huy was arrested at an internet café in Ho Chi Minh City. Many activists and bloggers have been convicted for “conducting propaganda against the state.” Human rights blogger Nguyen Ngoc Nhu Quynh (Mother Mushroom) was sentenced to 10 years in prison in June 2017 on such charges. Activists and bloggers also face frequent physical assaults by officials or government-connected thugs. [see: https://www.trueheroesfilms.org/thedigest/laureates/70F07728-1E21-4D33-F0BE-460D5A188B9D] Police place activists under house arrest or briefly detain them to prevent them from participating in public events. The government also uses travel bans to prevent activists and HRDs from going abroad and engaging with the international community. In December 2020, Amnesty International published “Let Us Breathe”, a report documenting the widespread criminalization, online harassment and physical attacks faced by activists and bloggers and the rising numbers of individuals detained for peacefully expressing themselves online. [see: https://humanrightsdefenders.blog/2020/12/01/facebook-and-youtube-are-allowing-themselves-to-become-tools-of-the-vietnamese-authorities-censorship-and-harassment/ ]

What is Ocean Lotus?

The cyber-security industry, comprised of individual and company-based researchers, routinely researches and publishes information about attack groups targeting companies and governments. The industry often gives informal names to groups they continuously track based on each group’s unique tactics and tools. Ocean Lotus (also commonly called APT32 or APT-C-00) is one of these groups. The first known Ocean Lotus attack happened in 2014. It targeted US-based NGO Electronic Frontier Foundation (EFF), the Associated Press international news organization and two Vietnamese activists. This group was named Ocean Lotus in a report from the Chinese company Qihoo 360 in May 2015. In 2017, the American cyber-security company FireEye published a report linking the 2014 EFF and other attacks to this same Ocean Lotus. Over the years, Ocean Lotus has developed a sophisticated spyware toolkit comprised of several variants of Mac OS spyware, Android spyware and Windows spyware. They also strategically compromise websites in order to identify visitors and conduct further targeting. More recently, Ocean Lotus was found creating fake media websites based on content automatically gathered online. A significant part of the group’s activities is the targeting of HRDs and civil society. In 2017, the cyber-security company Volexity revealed that over 100 websites were compromised, including many belonging to human rights organizations from Viet Nam, in an attack campaign that they attributed to Ocean Lotus. Numerous other spyware attacks linked to Ocean Lotus against human rights organizations have also been reported, such as the targeting of the Cambodian human rights organization, LICADHO, in 2018. The cyber-security company FireEye describes Ocean Lotus’ operations as “aligned with Vietnamese state interests” based on the list of targeted companies and civil society groups they identified. In December 2020, Facebook published a threat report linking Ocean Lotus’ activities with a Vietnamese company named CyberOne Group. Although Amnesty International was unable to independently verify any direct connection between Ocean Lotus and Cyber One or with the Vietnamese authorities, the attacks described in this investigation confirm a pattern of targeting Vietnamese individuals and organizations.

Attacks against HRDs.

The investigation conducted by Amnesty International’s Security Lab revealed that two HRDs and a non-profit human rights organization from Viet Nam have been targeted by a coordinated spyware campaign. This spyware allows to fully monitor a compromised system, including reading and writing files, or launching other malicious programs. Bui Thanh Hieu is a blogger and pro-democracy activist who goes by the name “Nguoi Buon Gio” (The Wind Trader). He writes about social and economic justice and human rights. He is also critical of the Vietnamese government’s policies and actions regarding its relations with China, including the dispute over sovereignty in the South China Sea. Due to his writing and activism, the licence for an Internet Café he owned in Ha Noi has been revoked and he has been repeatedly subjected to reprisals. He was arrested along with activists Pham Doan Trang [see https://www.trueheroesfilms.org/thedigest/laureates/fe8bf320-1d78-11e8-aacf-35c4dd34b7ba] and Nguyen Ngoc Nhu Quynh in 2009 and was kept in police custody for 10 days for“abusing democratic freedoms to infringe upon the interests of the State.” In January 2013, Bui Thanh Hieu reported on the trial of 14 dissidents in Viet Nam and was arrested and released a few days later. He has since left Viet Nam and has lived in exile in Germany since 2013. Vietnamese Overseas Initiative for Conscience Empowerment (VOICE) is a non-profit organization supporting Vietnamese refugees and promoting human rights in Viet Nam. It was established in 1997 in the Filipino capital of Manila as a legal aid office, before formally registering in the United States in 2007. The organization continues to operate out of Manila and has helped 3,000 Vietnamese refugees resettle in third countries. Since 2011, VOICE has operated an internship programme to equip Vietnamese people with knowledge, skills, and tools to become effective activists. The organization has faced reprisals from Vietnamese authorities several times. Staff at VOICE told Amnesty International that employees and interns have been harassed, banned from travelling, and have had their passports confiscated when they have returned to Viet Nam. Furthermore, state-owned media has run an unsubstantiated smear campaign against VOICE, claiming that the organization is a terrorist group. A blogger residing in Viet Nam has also been confirmed as an Ocean Lotus target by the Security Lab, but due to security concerns their name has been omitted. They are known to have spoken out publicly about the Dong Tam incident on 9 January 2020, when approximately 3,000 security officers from Ha Noi raided Dong Tam village and killed the 84-year-old village leader Le Dinh Kinh. Three police officers were also killed. The Dong Tam incident sparked a national outcry in Viet Nam. Activists and bloggers were at the forefront of the public debate online, prompting a nationwide crackdown on on-line expression by the government. VOICE and the two bloggers all received emails containing spyware between February 2018 and November 2020. These emails pretended to share an important document. They either contained spyware as an attachment or as a link. Once downloaded and launched on the victim’s computer, the spyware would then open a decoy document in line with what the email pretended to share to trick the victim in believing the file was benign. Screenshot of the email sent to VOICE in April 2020The spyware identified by the Security Lab were either for Mac OS or Windows systems. The Windows spyware was a variant of a malware family called Kerrdown and used exclusively by the Ocean Lotus group. Kerrdown is a downloader that installs additional spyware from a server on the victim’s system and opens a decoy document. In this case, it downloaded Cobalt Strike, a commercial spyware toolkit developed by the American company Strategy Cyber and routinely used to lawfully audit the security of organizations through simulated attacks. It allows an attacker full access to the compromised system including executing scripts, taking screenshots or logging keystrokes. Unlicensed versions of Cobalt Strikes have been increasingly used by attack groups, including Ocean Lotus, over the past three years.Example of Windows Spyware Infection Chain from one of the emails received The Mac OS Spyware was a variant of a malware family for Mac OS developed and used exclusively by Ocean Lotus, analysed by Trend Micro in April 2018 and November 2020. It allows the perpetrator to access system information, download, upload or execute files and execute commands.