Vietnamese activists targeted by notorious hacking group

Hacking group Ocean Lotus, which has been suspected of having links with the Vietnamese government, is behind a sustained campaign of spyware attacks on the country’s human rights activists, a new investigation by Amnesty Tech reveals, underscoring an intensifying assault on freedom of expression.

These latest attacks by Ocean Lotus highlight the repression Vietnamese activists at home and abroad face for standing up for human rights. This unlawful surveillance violates the right to privacy and stifles freedom of expression.

Likhita Banerji, researcher at Amnesty Tech

Amnesty Tech’s Security Lab found technical evidence in phishing emails sent to two prominent Vietnamese human rights defenders, one of whom lives in Germany, and a Vietnamese NGO based in the Philippines, showing that Ocean Lotus is responsible for the attacks between 2018 and November 2020.

The hacking group has been repeatedly identified by cyber security firms as targeting Vietnamese political dissidents, foreign governments and companies.

“These latest attacks by Ocean Lotus highlight `the repression Vietnamese activists at home and abroad face for standing up for human rights. This unlawful surveillance violates the right to privacy and stifles freedom of expression,” said Likhita Banerji, researcher at Amnesty Tech.

“The Vietnamese government must carry out an independent investigation. Any refusal to do so will only increase suspicions that the government is complicit in the Ocean Lotus attacks.”

Amnesty Tech’s investigation found that blogger and pro-democracy activist Bui Thanh Hieu was targeted with spyware at least four times between February 2018 and December 2019. The prominent activist had been repeatedly harassed by Vietnamese authorities before he sought sanctuary in Germany, where he has lived since 2013. Another blogger in Viet Nam, who is not named due to security concerns, was targeted three times between July and November 2020.

A Philippines-based non-profit organization that supports Vietnamese refugees and promotes human rights, called the Vietnamese Overseas Initiative for Conscience Empowerment (VOICE), was targeted in April 2020. Former staff members and volunteers for the NGO have also been repeatedly harassed, banned from travelling and have had their passports confiscated upon their return to Viet Nam.

All the attacks took the form of emails pretending to share an important document with a link to download a file. These files included spyware for Mac OS or Windows systems. Amnesty Tech’s analysis of the malicious emails showed Ocean Lotus was responsible as they used specific tools, techniques and network infrastructure known to be employed by the hacking group.

Sophisticated capabilities

Ocean Lotus (also known as APT-C-00 and APT32) is responsible for numerous targeted cyber-attacks dating back to at least 2013, targeting different industries, government agencies of neighbouring countries to Viet Nam and civil society organizations. It has developed sophisticated capabilities comprising several variants of Mac OS spyware, Android spyware and Windows spyware.

The group is also known to compromise websites of interest to target people who visit the site. More recently Ocean Lotus was found to have created fake online media websites based on content automatically gathered from legitimate news websites.

The targeting of human rights defenders using digital surveillance technology is unlawful under international human rights law. Unlawful surveillance violates the right to privacy and impinges on the rights to freedom of expression and opinion, of association and of peaceful assembly.

Amnesty International shared its findings with the Viet Nam authorities and has not received a response at the time of publication.

Online repression

Online expression in Viet Nam is increasingly being criminalized as part of a wider crackdown on critical voices. Activists are jailed, harassed, attacked, and censored into silence on the basis on vague and overbroad laws that do not comply with international human rights standards.

In January 2019, a repressive Law on Cybersecurity came into effect in Viet Nam, granting the government sweeping powers to limit online freedom, to compel technology companies to hand over vast amounts of data and to censor users’ content.

Amnesty International recently documented systematic repression in Viet Nam using censorship, physical attacks, criminalization, and online harassment of activists. The report, Let Us Breathe, highlighted how Facebook and Google are increasingly complicit in the Vietnamese authorities’ censorship regime.

“Online freedoms are under unprecedented attack in Viet Nam. Despite these threats, courageous activists continue to stand up for human rights. The relentless repression they face, including targeted cyber-attacks, must end,” said Likhita Banerji.