| Names | APT32 (Mandiant), Ocean Buffalo (CrowdStrike), Tin Woodlawn (SecureWorks), ATK 17 (Thales), Canvas Cyclone (Microsoft) |
| Additional Names | OceanLotus (SkyEye Labs), SeaLotus , APT-C-00 (Qihoo 360), SectorF01 (ThreatRecon) |
| Location | Vietnam |
| Date of initial activity | 2014 |
| Suspected attribution | State-sponsored |
| Motivation | Espionage, Surveillance |
| Associated tools | Cobalt Strike, Denis, Goopy, JEShell, KerrDown, Mimikatz, Ratsnif, Remy, Rizzo, RolandRAT |
Overview
APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based.
Targets
Multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
Attack vectors
They have extensively used strategic web compromises to compromise victims.
How they work
TIN WOODLAWN is a targeted threat group, active since at least 2014, that CTU researchers assess with moderate confidence is operated or tasked by the Vietnamese government. It has targeted automotive manufacturers, media, non-governmental organizations, dissidents or social groups of interest to the Vietnamese government in Vietnam or overseas, and regional governance groups and national governments neighboring Vietnam.
TIN WOODLAWN is technically capable and uses a range of techniques including template injection, obfuscated macros and steganography for malware delivery, memory-resident malware, use of native command line scripts for Cobalt Strike persistence, and non-standard command and control channels such as DNS and ICMP.
