A new Amnesty International investigation has identified a campaign of spyware attacks targeting Vietnamese human rights defenders (HRDs) from February 2018 to November 2020. Amnesty International’s Security Lab attributes these attacks to an attack group known as Ocean Lotus. The group has been active since at least 2014, targeting the private sector and HRDs.

... The investigation conducted by Amnesty International’s Security Lab revealed that two HRDs and a non-profit human rights organization from Viet Nam have been targeted by a coordinated spyware campaign. This spyware allows to fully monitor a compromised system, including reading and writing files, or launching other malicious programs.

... The spyware identified by the Security Lab were either for Mac OS or Windows systems. The Windows spyware was a variant of a malware family called Kerrdown and used exclusively by the Ocean Lotus group. Kerrdown is a downloader that installs additional spyware from a server on the victim’s system and opens a decoy document. In this case, it downloaded Cobalt Strike, a commercial spyware toolkit developed by the American company Strategy Cyber and routinely used to lawfully audit the security of organizations through simulated attacks. It allows an attacker full access to the compromised system including executing scripts, taking screenshots or logging keystrokes. Unlicensed versions of Cobalt Strikes have been increasingly used by attack groups, including Ocean Lotus, over the past three years.