OceanLotus, SeaLotus, APT32, TIN WOODLAWN
Ocean Buffalo is a Vietnam-based targeted intrusion adversary reportedly active since at least 2012.
This adversary is known to employ a wide range of Tactics, Techniques, and Procedures (TTPs), to include the use of both custom and off-the-shelf tools as well as the distribution of malware via Strategic Web Compromise (SWC) operations and spear phishing emails containing malicious attachments.
Targeted organizations are primarily located in East and Southeast Asian countries such as China, Cambodia, the Philippines, and Vietnam; however, Ocean Buffalo has also targeted Western organizations in several sectors, including automotive manufacturing and hospitality. Observed activity indicates that this adversary’s mission scope is broad and encompasses primarily operations focused on Vietnamese internal security issues and foreign intelligence collection, with some economic espionage activity evident since at least late 2018.
Ocean Buffalo's activity in the first quarter of 2020 exhibited a focus on collection of information related to the COVID-19 pandemic. Public reporting revealed adversary activity focused on Chinese government and private sector entities using COVID-19-themed spear phishing emails. The specific targets indicated that the likely objective of this activity was intelligence collection related to the disease's spread in China as well as processes it put in place to respond COVID-19. In addition, in June 2020 CrowdStrike Intelligence identified Ocean Buffalo Strategic Web Compromise (SWC) activity targeting domestic Vietnamese individuals with KerrDown malware, likely as part of internal surveillance against Vietnamese journalists or dissidents.
- NGOs and Nonprofits