Vietnamese hackers spent years harassing human rights activists with spyware

OceanLotus has a vast array of tools at its disposal to conduct espionage.
Security forces outside the National Convention Centre in Hanoi. (Nhac Nguyen/AFP via Getty Images)

For the past several years a Vietnamese hacking group best known for its attacks on the auto sector has been targeting activists and non-governmental organizations with spyware, according to an Amnesty International investigation published Wednesday.

The suspected government-linked hackers, known as OceanLotus or APT32, specifically targeted pro-democracy activist Bui Thanh Hieu, who writes about human rights and economic justice, with spyware on four occasions between February 2018 and December 2019, according to the investigation. The same group launched spyware against a blogger, who has written on a violent police clash in Vietnam in 2009, three times between July and November of last year.

Bui Thanh Hieu has been exiled in Germany since 2013. Amnesty did not identify the blogger out of concern for their safety.

The hackers also went after the Vietnamese Overseas Initiative for Conscience Empowerment (VOICE), which works on behalf of Vietnamese refugees resettling, in April of 2020.


To run their surveillance operation, the hacking group sent emails to activists that appeared to contain important documents, or a link. In fact, the malicious files would enable the outsiders to gather information from their target. The hacking tools used against the activists included malware tailored for both MacOS and Windows systems, including spyware called Kerrdown, which then downloads CobaltStrike, according to Amnesty.

The operation could have allowed the attackers to track victims’ keystrokes or to take screenshots.

The steady drumbeat of surveillance against Vietnamese activists is emblematic of a larger freedom of expression problem in Vietnam, according to Amnesty.

“Human rights are increasingly under attack both offline and online in Viet Nam,” the group said in a blog post. Vietnam’s cybersecurity law, which came into effect in 2019, allows the government sweeping authority to obtain data on technology companies’ users and monitor speech online.

“Over the past 15 years, repression linked to online activity has intensified, leading to a wave of harassment, intimidation, physical assault, and prosecution,” the blog notes, describing systemic harassment of activists in the country.


OceanLotus has gone after human rights groups before, according to previous research. The hackers have been using watering hole and phishing-based tactics to target Vietnamese activists in Germany since 2015, for instance, according to an investigation published by German broadcaster BR and weekly newspaper Zeit Online in October.

The group is better known for its attacks against corporations in the manufacturing, hospitality and auto industries, though the Amnesty investigation is a reminder that OceanLotus has a vast array of tools at its disposal to wreak havoc against espionage targets, including those who could be perceived as posing a political threat to Vietnam.

An investigation published last year by Kaspersky researchers revealed the hacking group has been releasing malicious software through the Google Play Store to collect call logs, texts and geolocation from foreign and domestic targets for the previous four years.

The hacking group has also in recent months expanded its operation to include websites that publish propaganda under the guide of news, and Facebook pages meant to target victims in Vietnam and Southeast Asia with malware, according to Volexity research.

Amnesty International does not attribute OceanLotus to the Vietnamese government, but suggests the focus on targeting human rights groups in Vietnam and the region “raises questions about whether Ocean Lotus is linked to Vietnamese state actors.”


“The consistent evidence linking Ocean Lotus to Viet Nam should trigger the Vietnamese authorities to undertake an impartial, thorough and independent investigation into the group’s unlawful activities and human rights abuses,” Amnesty warns.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts