Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/5/2019
06:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Vietnam Rises as Cyberthreat

The country's rapid economic growth and other factors are driving an increase in cybercrime and cyber espionage activity.

Vietnam has rarely been associated with cybercrime activity in the same way other Asian nations, such as China, North Korea, and Iran, have in recent years. But that could change soon.

According to a new report from Intsights, cybercrime and cyber espionage activity in Vietnam is growing.

Vietnamese-language based Internet traffic and activity on the Deep and Dark Web is increasing, and so are attacks on foreign multinational organizations based in the country — particularly automotive companies and media outlets.

At least one previously known advanced persistent threat (APT) group — APT32/OceanLotus — appears to be working in support of the government's strategic interests. Over the past year or so, the threat group has ramped up attacks against Vietnamese and Cambodian media outlets viewed as hostile to the government. The threat actor has also been increasingly going after automobile manufacturers in advance of the planned launch of Vietnam's first domestically manufactured vehicles this September.

"This is an optimal time to be keeping a close eye on Vietnam, their economy, and their cyber operations — both state-sponsored and group," says Charity Wright, cyberthreat intelligence analyst at IntSights. Several factors are contributing to the increased threat activity, she says. One is the country's rapid economic growth.

Vietnam's one-party government has committed to aggressive economic growth and has been investing in domestic technology development. With the country seeking ways to gain an advantage over regional economic powerhouses like China, Japan, and South Korea, there has been an increase in cyber espionage activity targeting multinationals, IntSights said.

APT32's attacks on auto manufacturers serve as one example. Last year the group launched a worldwide malware and espionage campaign targeting major auto companies, such as Toyota. The timing of the attacks suggests the group was tasked with gathering intelligence on rivals and potentially even disrupting their operations with a view to helping VinFast, Vietnam's first domestic auto company, get off the ground faster.

Internet Censorship Law
The increased threat activity, at least partly, also appears tied to an unpopular Internet censorship law that Vietnam's government passed last year, IntSights said. The law requires social media companies, such as Facebook and Twitter, to maintain local offices in Vietnam, store local user data within the country, and hand the data over to the government upon request.

The law puts restrictions on what people can say and do on social media. The government has also established a cyber offensive unit called Force 47, comprising some 10,000 members to enforce the law. Force 47's mission is to monitor for and block access to content that the government deems as unfriendly and unsavory.

The censorship law has driven a growing number of Vietnamese users to the Dark Web, and more people have begun seeking information on cryptocurrencies and cybercrime opportunities, according to the IntSights report. Vietnamese-speaking users have increasingly begun populating well-known, multilanguage, underground forums, though sites dedicated solely to Vietnamese users continue to have relatively low membership, Wright says.

Hacker Vietnam Association (HVA), a Vietnamese hacking website, had over 14,000 members when it was shut down last year. The site offered information on a variety of topics, including hacking, carding, Tor usage, and cryptocurrencies.

Since then, other sites have taken the place of HVA, including one called Vietnam Hacker Blackhats, Wright notes. Such sites are providing a forum for Vietnamese hackers to collaborate, trade ideas, and tutor each other on a wide variety of malicious activities, including how to access dark sites, steal bank and credit card information, hack social media account, and reverse-engineer malware. Other researchers have associated at least one other APT — Poison Ivy, aka APT-C-01 — with Vietnam. But IntSights is unable to confirm that information, Wright says.

"This is a dynamic time for Vietnam because of the rise of their state-sponsored APT32 and the growth of the Vietnamese-language cyber underground," Wright says.  

The nation is fast developing new technologies and learning how to use its Force 47 offensive unit to further economic growth and the objectives of the Vietnamese Communist party, she says.

Up until now, the targets have been directly aligned with the country's economic and political interests. But Vietnam-based cybercrime activity has been observed targeting US and global banks, social media websites, and other organizations.

"We are witnessing the rise and development of a viable global cyberthreat and notable migration of young, technical population to the Deep and Dark Web," Wright says. 

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.