Breaking News
Get Actionable Insights with InvestingPro+: Start 7 Day FREE Trial Register here
Investing Pro 0
Ad-Free Version. Upgrade your experience. Save up to 40% More details

Facebook tracks 'OceanLotus' hackers to IT firm in Vietnam

Stock Markets Dec 10, 2020 08:10PM ET
Saved. See Saved Items.
This article has already been saved in your Saved Items
2/2 © Reuters. Facebook tracks 'OceanLotus' hackers to IT firm in Vietnam 2/2

By Jack Stubbs and James Pearson

LONDON/HANOI (Reuters) - Cybersecurity investigators at Facebook (NASDAQ:FB) have traced a hacking group long suspected of spying on behalf of the Vietnamese government to an IT company in Ho Chi Minh City.

The announcement on Friday is the first time Facebook has publicly exposed an offensive hacking operation and, if confirmed, would be a rare case of suspected state-backed cyberspies being tracked to a specific organisation.

The hackers, known as OceanLotus or APT32, have been accused for years of spying on political dissidents, businesses and foreign officials. Reuters reported this year that the group had attempted to break into China's Ministry of Emergency Management and the government of Wuhan as the COVID-19 outbreak first spread.

Facebook said it had found links between cyberattacks previously attributed to OceanLotus and a Vietnamese company called CyberOne Group, which lists an address on a sidestreet in a commercial district of Ho Chi Minh city.

CyberOne Group denied being connected to the hackers.

"We are NOT Ocean Lotus," a person operating the company's now-suspended Facebook page said when contacted by Reuters. "It's a mistake."

Vietnam's foreign ministry, which handles enquiries from international media, did not immediately respond to a request for comment. The ministry has previously denied connections to OceanLotus attacks.

Facebook said the hackers had used its platforms to carry out a range of cyberattacks, some of which employed fake accounts to trick targets by posing as activists, businesses and possible love interests.

Nathaniel Gleicher, Facebook's head of cybersecurity policy, said his team had found technical evidence that linked CyberOne's Facebook page to accounts used in the hacking campaign, as well as to other OceanLotus attacks.

He declined to detail the exact evidence, saying to do so would make the group more difficult to track in the future. But he said it included online infrastructure, malicious code, and other hacking tools and techniques.

"The actors in this space use some very defined techniques and if we are too public about how we observe those, it really does harm our ability to catch more of this," Gleicher said.


Although OceanLotus has not gained the level of notoriety in the West as some suspected Chinese and Russian state-backed hacking operations, it has been prolific in southeast Asia.

Ben Read, a senior manager at U.S. cybersecurity firm FireEye (NASDAQ:FEYE), and Marc-Étienne Léveillé, a researcher at Slovakian software security group ESET, said the hacking activity uncovered by Facebook matched operations attributed to OceanLotus.

Read said OceanLotus had been active since at least 2013 and had "all the hallmarks of a substantial state-backed organisation acting in support of Vietnamese government".

Facebook said it did not have sufficient evidence to attribute OceanLotus beyond CyberOne Group, which it said has also used the names CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet and Diacauso.

CyberOne reveals little information about itself on its website, saying only that it has around 200 employees providing a range of "essential security technologies".

A careers page that was removed shortly after Reuters contacted the company advertised positions for people with hacking skills and experience in malware analysis. Recruiters boasted of a generous benefits package, including free meals, a mini movie theatre and after-work yoga.

In Vietnam, Facebook is navigating a standoff with government officials who have threatened to ban it if it does not agree to censorship demands.

Reuters reported in April that Facebook had complied with a government request to increase its censorship of "anti-state" posts after its servers in Vietnam were taken offline, slowing traffic there to a crawl.

Facebook tracks 'OceanLotus' hackers to IT firm in Vietnam

Related Articles

Walmart reaches streaming deal with Paramount+ - WSJ
Walmart reaches streaming deal with Paramount+ - WSJ By Reuters - Aug 15, 2022

(Reuters) - Walmart (NYSE:WMT) Inc has agreed to a deal with Paramount Global to offer Paramount+ streaming service to subscribers of the retailer's membership program, the Wall...

Add a Comment

Comment Guidelines

We encourage you to use comments to engage with other users, share your perspective and ask questions of authors and each other. However, in order to maintain the high level of discourse we’ve all come to value and expect, please keep the following criteria in mind:  

  •            Enrich the conversation, don’t trash it.

  •           Stay focused and on track. Only post material that’s relevant to the topic being discussed. 

  •           Be respectful. Even negative opinions can be framed positively and diplomatically. Avoid profanity, slander or personal attacks directed at an author or another user. Racism, sexism and other forms of discrimination will not be tolerated.

  • Use standard writing style. Include punctuation and upper and lower cases. Comments that are written in all caps and contain excessive use of symbols will be removed.
  • NOTE: Spam and/or promotional messages and comments containing links will be removed. Phone numbers, email addresses, links to personal or business websites, Skype/Telegram/WhatsApp etc. addresses (including links to groups) will also be removed; self-promotional material or business-related solicitations or PR (ie, contact me for signals/advice etc.), and/or any other comment that contains personal contact specifcs or advertising will be removed as well. In addition, any of the above-mentioned violations may result in suspension of your account.
  • Doxxing. We do not allow any sharing of private or personal contact or other information about any individual or organization. This will result in immediate suspension of the commentor and his or her account.
  • Don’t monopolize the conversation. We appreciate passion and conviction, but we also strongly believe in giving everyone a chance to air their point of view. Therefore, in addition to civil interaction, we expect commenters to offer their opinions succinctly and thoughtfully, but not so repeatedly that others are annoyed or offended. If we receive complaints about individuals who take over a thread or forum, we reserve the right to ban them from the site, without recourse.
  • Only English comments will be allowed.

Perpetrators of spam or abuse will be deleted from the site and prohibited from future registration at’s discretion.

Write your thoughts here
Are you sure you want to delete this chart?
Post also to:
Replace the attached chart with a new chart ?
Your ability to comment is currently suspended due to negative user reports. Your status will be reviewed by our moderators.
Please wait a minute before you try to comment again.
Thanks for your comment. Please note that all comments are pending until approved by our moderators. It may therefore take some time before it appears on our website.
Comments (1)
Kaveh Sun
Kaveh Sun Dec 10, 2020 10:10PM ET
Saved. See Saved Items.
This comment has already been saved in your Saved Items
No surprise here, commie always put oppositons in jail or k/i/ll them if they feel threaten
Are you sure you want to delete this chart?
Replace the attached chart with a new chart ?
Your ability to comment is currently suspended due to negative user reports. Your status will be reviewed by our moderators.
Please wait a minute before you try to comment again.
Add Chart to Comment
Confirm Block

Are you sure you want to block %USER_NAME%?

By doing so, you and %USER_NAME% will not be able to see any of each other's's posts.

%USER_NAME% was successfully added to your Block List

Since you’ve just unblocked this person, you must wait 48 hours before renewing the block.

Report this comment

I feel that this comment is:

Comment flagged

Thank You!

Your report has been sent to our moderators for review
Continue with Google
Sign up with Email