OceanLotus

OceanLotus, also named APT32, BISMUTH, Ocean Buffalo by CrowdStrike, or Canvas Cyclone by Microsoft,^[1] is a hacker group allegedly associated with the government of Vietnam. The founding member is identified as meli0das.^[2][3][4][5] It has been accused of cyberespionage targeting political dissidents, government officials, and businesses with ties to Vietnam.^[6]

History

In April 2020, Bloomberg reported that OceanLotus had targeted China's Ministry of Emergency Management and the Wuhan municipal government in order to obtain information about the COVID-19 pandemic. The Vietnamese Ministry of Foreign Affairs called the accusations unfounded.^[7][8][9]

In November, Kaspersky researchers disclosed that OceanLotus had been using the Google Play Store to distribute malware. Volexity researchers disclosed that OceanLotus had set up fake news websites and Facebook pages to both engage in web profiling and distribute malware.^[10][11] According to reports, Facebook traced the group's activities to an IT company called CyberOne Group in Ho Chi Minh City.^[12]

In February 2021, Amnesty International reported that OceanLotus had launched a number of spyware attacks against Vietnamese human rights activists, including Bùi Thanh Hiếu.^[13]

In March 2021, it was reported that the group's operations were impacted by a fire at an OVHcloud data centre in France.^[14]