Facebook says it disrupted cyber-espionage in Vietnam, Bangladesh

The social media giant pinned the Vietnam-based activity on APT32, also known as Ocean Lotus.
Facebook, social media, mobile

Facebook says it has uncovered plots by two hacking campaigns to “abuse our platform, distribute malware and hack people’s accounts,” one originating in Vietnam, the other in Bangladesh.

In a blog post late Thursday, two cybersecurity officials from the social media giant pinned the Vietnam-based activity on APT32, the advanced persistent threat group also known as Ocean Lotus. In Bangladesh, the perpetrators appear to be two largely unknown “non-profit” groups, Facebook says.

“The operation from Vietnam focused primarily on spreading malware to its targets, whereas the operation from Bangladesh focused on compromising accounts across platforms and coordinating reporting to get targeted accounts and Pages removed from Facebook,” wrote Nathaniel Gleicher, the company’s head of security policy and Mike Dvilyanski, its cyberthreat intelligence manager.

APT32’s efforts involved a Vietnamese IT company, the researchers said, making it the latest example of hacking groups using corporate disguises. In early November, cybersecurity company Volexity had warned that APT32 was using Facebook pages to spread malware.


“Our investigation linked this activity to CyberOne Group, an IT company in Vietnam (also known as CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet and Diacauso),” the blog post said.

The Vietnam-linked group has consistently expanded its target list and tools over the past few years. Facebook‘s assessment of this particular malware campaign echoes the roll-call of APT32’s interests reported elsewhere: “human rights activists locally and abroad, various foreign governments including those in Laos and Cambodia, non-governmental organizations, news agencies and a number of businesses across information technology, hospitality, agriculture and commodities, hospitals, retail, the auto industry, and mobile services.”

Facebook does not describe the Bangladesh-based activity as the work of an APT group, but the company does link it to two organizations with minimal online profiles in the West: “Don’s Team (also known as Defense of Nation) and the Crime Research and Analysis Foundation (CRAF).”

Don’s Team, on a web page that remained active as of Friday morning, calls itself “a non-profit community based in Bangladesh, founded on October 14, 2015, with a view to improve the overall social media experience for our fellow Bangladeshi and make it a much safer and secure place for all to roam.”

CRAF appears to have has less of an online presence, but in a now-removed Facebook page, it called itself “a non-profit Organization primarily based on online crime investigation formed by a group of young committed people,” with the intention of raising awareness about social media behavior and technology laws in Bangladesh.


“Don’s Team and CRAF collaborated to report people on Facebook for fictitious violations of our Community Standards, including alleged impersonation, intellectual property infringements, nudity and terrorism,” wrote Gleicher and Dvilyanski. “They also hacked people’s accounts and Pages, and used some of these compromised accounts for their own operational purposes, including to amplify their content.”

The tactics by Don’s Team and CRAF included “email and device compromise and abuse of our account recovery process,” the researchers wrote.

Thursday’s announcement comes as Facebook continues to face criticism for not doing more to tame the misinformation that continues to pop across its platform. This year saw the company take aim at the QAnon conspiracy theory in the U.S., as well as information operations allegedly originating in Iran and Russia.

Latest Podcasts