Table of content
  1. Who is APT32 (OceanLotus)?
  2. What Happened?
  3. How Did The Attack Work?
  4. Why It Matters
  5. How to Defend Against APT32 (OceanLotus) - Style Attacks
  6. Where Obsidian Security Can Help
  7. Conclusion

APT32 (OceanLotus) Targets Dissidents & Corporate Media via Fake‑Site‑Driven Espionage Campaign

APT32 (OceanLotus), an advanced persistent threat group, has been linked to a recent cyberattack on dissidents and corporate media. The incident leveraged fake sites and malware to gain access, steal data, and evade detection. In this article, we examine who was responsible, how the attack unfolded, when it occurred, and what security leaders can do to avoid similar risks. We will also explore where Obsidian Security’s capabilities align with prevention and response.
Sophie Zhu
September 15, 2024
Table of content
  1. Who is APT32 (OceanLotus)?
  2. What Happened?
  3. How Did The Attack Work?
  4. Why It Matters
  5. How to Defend Against APT32 (OceanLotus) - Style Attacks
  6. Where Obsidian Security Can Help
  7. Conclusion

Who is APT32 (OceanLotus)?

APT32, also identified as OceanLotus, Canvas Cyclone, or BISMUTH—is a state‑aligned Vietnamese espionage group operating since at least 2014, with continued high-profile activity through 2025. The group targets dissidents, corporate media, government agencies, and private sectors such as finance and real estate. Its tactics include watering-hole sites, supply-chain kompromats via compromised development tools on platforms like GitHub, and custom malware designed for stealth and persistence. APT32 is known for its operational adaptability and long-term strategic alignment with Vietnam’s national interests.

What Happened?

OceanLotus, a group linked to the Vietnamese state, ran a sweeping cyber-espionage campaign by creating and operating fake news websites and social media pages. Posing as legitimate news platforms, they lured political dissidents, journalists, and corporate media in Southeast Asia into interactions that enabled surveillance and espionage.

How Did The Attack Work?

OceanLotus began by building dozens of realistic-looking news sites, often in local languages and focused on political or society themes relevant to Vietnam and neighboring countries. Only select articles or pages on these sites contained malicious code. When a high-value visitor (such as a dissident or a journalist) landed on these specific pages, their system was profiled (collecting details such as operating system, browser, and location). In many cases, they were prompted to download malware. Social media pages, especially Facebook, were also used for outreach and to build credibility.

Why It Matters

This incident reveals the growing sophistication of state-backed threats (both technically and in social engineering). The blending of legitimate-looking news sites with covert surveillance not only undermines trust in independent journalism and online media, but also enables large-scale monitoring, intimidation, or targeting of activists, reporters, and opposition voices across multiple countries in the region. This tactic could be replicated in other regions, raising global concerns about press freedom, personal privacy, and the weaponization of digital media.

How to Defend Against APT32 (OceanLotus) - Style Attacks

To defend against threats similar to those used by APT32 (OceanLotus), security leaders should adopt the following multi-layered security practices:

  • Security Awareness & Phishing Simulations
    Train users to detect and report phishing attempts using realistic simulations. Reinforce awareness of social engineering tactics.
  • MFA Hardening (e.g., Phishing-Resistant Auth)
    Enforce phishing-resistant MFA (e.g., FIDO2, certificate-based auth). Detect and respond to MFA fatigue attacks or session hijacking attempts.
  • Endpoint Detection & Response (EDR)
    Deploy modern EDR solutions across workstations and cloud endpoints. Detect credential theft, persistence mechanisms, and lateral movement.
  • SaaS Misconfiguration Monitoring
    Continuously monitor for configuration drift and excessive privileges in SaaS apps (e.g., M365, Salesforce, Okta). Lock down unused integrations and enforce least privilege.
  • Email Gateway & Attachment Filtering
    Filter malicious attachments and links at the email gateway. Combine with in-app behavioral detection to spot post-delivery threats.
  • Threat Hunting or Behavioral Detection
    Proactively hunt for identity anomalies and unusual access patterns (e.g., impossible travel, session token reuse, OAuth abuse) across your SaaS estate.

Obsidian Security’s platform can help detect these signals, automate posture hardening, and accelerate incident response across identity and SaaS environments.

Where Obsidian Security Can Help

Obsidian delivers comprehensive SaaS and identity threat protection through capabilities like ITDR, SSPM, and threat hunting. Learn more

Conclusion

APT32 (OceanLotus)’s recent campaign underscores the need for layered security and SaaS-native threat detection. Organizations should combine user education, identity threat protection, and SaaS configuration hardening to minimize risk. Obsidian’s continuous monitoring and context-aware alerts help defenders identify and respond to threats before damage is done.