Cybersecurity investigators found in a company Facebook that a piracy group has long been suspected of spying on behalf of the Vietnamese government, linked to an information technology company in Ho Chi Minh City.
Facebook’s announcement on Friday is the first from the company of an offensive hacking operation, and if confirmed, it would be a rare case of government-backed cyber spies affiliated with a particular organization.
The hackers – known as OceanLotus, or APT32 – have been accused for years of spying on political opponents, companies and foreign officials. Reuters reported earlier this year that the group tried to infiltrate the Chinese Ministry of Emergency Management and the Wuhan government when the COVID-19 virus began to spread.
Facebook said it had found links between a cyber attack previously attributed to OceanLotus and a Vietnamese company called CyberOne Group in Ho Chi Minh City. CyberOne has denied links to hackers.
And someone who runs the company’s Facebook page that is now suspended said, Told ReutersWe have nothing to do with OceanLotus. “You are wrong,” he added.
Facebook said: The hackers used its platforms to carry out a range of cyber attacks, some of which used fake accounts to deceive targets by pretending they were activists, companies, and admirers.
Facebook’s head of cybersecurity policy, Nathaniel Gleicher, said his team had found technical evidence linking the CyberOne page on Facebook to the accounts used in the hacking campaign, in addition to other OceanLotus attacks.
He declined to disclose the exact evidence, saying: Doing so would make tracking the group more difficult in the future. But he said: It includes the infrastructure on the Internet, malicious code, and other hacking tools and technologies.
“Actors in this space use some very specific technologies, and if we uncover how we perceive them, it really harms our ability to discover more of those technologies,” said Gleicher.
The OceanLotus group was very active in Southeast Asia, although it was not as well-known in the West, as were some suspected and Russian government-backed hacking operations.
Facebook said: It does not have enough evidence to attribute OceanLotus to other than CyberOne, which said: It also used other names, such as: CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet, and Diacauso.
CyberOne reveals little information about itself on its website, saying only: It has about 200 employees who provide a range of “basic security technologies”.