On April 22, FireEye, a cyber security firm, reported that “From at least January to April 2020, suspected Vietnamese actors APT32 carried out intrusion campaigns against Chinese targets that… [were] designed to collect intelligence on the COVID-19 crisis.” The alleged targets were China’s Ministry of Emergency Management and the Wuhan municipal government.
The next day Ngo Toan Thang, deputy spokesperson for Vietnam’s Ministry of Foreign Affairs, stated at a regular press conference, “This accusation is unfounded. Vietnam strictly prohibits cyberattacks targeting organisations and individuals in any form.”
APT32 was first identified in 2012 when it initiated cyberattacks on Chinese entities and then expanded to targets in Vietnam and the Philippines. APT32 is also known as the OceanLotus Group, APT-C-00, SeaLotus and OceanBuffalo. APT stands for Advanced Persistent Threat.
In 2016, a global corporation based in Asia became a victim of a year-long cyberattack that targeted intellectual property, confidential business information and details of specific projects.When Cybereason, a threat intelligence firm, investigated it uncovered links that could be traced to the OceanLotus Group. When Cybereason moved to block APT32 it discovered a resilient adversary that quickly resorted to custom-built tools to re-enter its client’s network.
Also, in 2016, an incident response analyst at FireEye, with experience in dealing with about twelve APT32 cyber intrusions, concluded that APT32’s targets “thus far seem to serve Vietnamese state interests.” The FireEye analyst concluded that APT32 could carry out “multiple campaigns simultaneously” and had “the resources and capabilities to execute devastating large-scale network attacks… particularly for surveillance and data-exfiltration.”
In a report published in May 2017, FireEye assessed “that APT32 is a cyber espionage group aligned with Vietnamese government interests.”
Nick Carr, a FireEye director who tracked APT32 since 2012, revealed that an investigation carried out in 2017 on hacking attacks in Asia, Germany and the United States found that the group spent at least three years targeting “foreign corporations with a vested interest in Vietnam’s manufacturing, consumer product and hospitality sectors.”
In 2018, reports emerged that OceanLotus/APT32 had been engaged in industrial espionage over the last two years targeting automobile manufacturers BMW, Toyota and Hyundai. Cyber analysts quoted in the media said the cyber intrusions appeared to support Vietnam’s manufacturing goals.
In addition, Volexity, a cyber security firm, reported in 2019 that APT32 conducted “a very sophisticated and extremely widespread mass digital surveillance and attack campaign” that targeted the media, human rights and civil society groups as well as the Association of Southeast Asian Nations. CrowdStrike, a cybersecurity company, noted in late 2019 that “the uptick in Vietnam’s [APT32] espionage activity, which began in 2012… spiked since 2018” was “believed to be tied to the Vietnamese government.”
APT32, COVID-19 and Intelligence Collection
What factors might have motivated the Vietnamese government to task APT32 to hack into a Chinese government ministry and municipal government to obtain information on COVID-19?
We know from media reporting that the U.S. National Center for Medical Intelligence (NCMI), based on analysis of wire and computer intercepts as well as satellite imagery, concluded that a contagion was spreading through Wuhan and surrounding region that posed a threat to the health of the population. The NCMI produced a classified report in late November 2019 that warned that an out-of-control disease would pose a serious threat to U.S. forces in Asia. The NCMI reportedly briefed the Defense Intelligence Agency, the Pentagon’s Joint Staff and the White House.
There is no apparent reason why Vietnam could not have picked up on this spreading disease in November-December 2019 through its own human intelligence sources and signals intelligence by monitoring the Chinese-language internet.
If this were the case, Vietnam’s first reaction would have been to try and determine how lethal COVID-19 was and learn as much as possible about the new disease and its likely impact on Vietnam. Vietnamese diplomats in China should have been tasked to obtain this information from their official Chinese counterparts.
Given China’s lack of transparency on the spread of the coronavirus until January, it is likely Chinese officials were not forth coming with their Vietnamese colleagues in responding to requests for information.
China’s lack of transparency would have prompted Vietnamese leaders to give a directive – or tasking – to their various intelligence agencies and officials in China to give priority to the collection of all source information on the coronavirus. This would have included open sources such as the internet, posting on Weibo (China’s Facebook), blog sites, and electronic publications.
Vietnam would have had access to intelligence information obtained from friendly intelligence services through routine liaison and exchanges. Vietnam could have asked for information, shared information or was provided with information. At a minimum, liaison discussions might have revealed a joint concern over COVID-19.
In addition, Vietnam would have obtained information from human intelligence sources as well. Human intelligence sources include Chinese government officials, security services, medical personnel, research scientists and ordinary citizens in China and Wuhan in particular. Human intelligence sources would also include Vietnamese and foreign residents in China, particularly Wuhan, such as businessmen, students and tourists.
In sum, human and signals intelligence sources likely confirmed the first rumours of the emergence and spread of COVID-19 to Vietnamese intelligence collectors. A report by FireEye alleges that the first Vietnamese cyber intrusion to gather information on COVID-19 was initiated against China’s Ministry of Emergency Management and the Wuhan city government on Jan. 6, 2020 and continued throughout the first quarter of the year. China’s lack of transparency likely was an important motivating factor behind this decision.
The public evidence that APT32 is linked to the Vietnamese government is based on long-term monitoring of its methods of operation by professional cyber security firms. APT32’s actions against Vietnamese dissidents at home and abroad and targeting of foreign commercial enterprises suggests a possible connection to the Ministry of Public Security.
In 2017, the Ministry of National Defence established its Cyber Command. It is possible that APT32 was put under the Cyber Command’s wing.
Vietnam’s most recent Defence White Book issued in late 2019 declared, ‘Viet Nam is ready to use all measures conforming to international law to deter and prevent cyber sabotage in order to safeguard its sovereignty and national interests in cyberspace.’
It is inconceivable that the Cyber Command has not developed some offensive capabilities that would enable it to hack Chinese government computers should circumstances dictate. But it is also plausible that APT32 is a unit of the Ministry of Communications and Information, another ministry, or a stand-alone organisation reporting to Vietnam’s highest party and state leaders.
Carl Thayer is Emeritus Professor and Visiting Fellow in the School of Humanities and Social Sciences, The University of New South Wales at the Australian Defence Force Academy in Canberra.