In a surprising and unexpected announcement on Thursday, the Facebook security team has revealed the real identity of APT32[1], one of today's most active state-sponsored hacking group, believed to be linked to the Vietnamese government.
The company said it took this step after it detected APT32 using its platform to spread malware in attempts to infect users.
"Our investigation linked this activity to CyberOne Group [archived website[2], archived Facebook page[3]], an IT company in Vietnam (also known as CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet and Diacauso)," said Nathaniel Gleicher, Head of Security Policy at Facebook, and Mike Dvilyanski, Cyber Threat Intelligence Manager.
A CyberOne spokesperson could not be reached for comment over the phone, as a previously listed phone number was offline.
APT32 operated fake accounts in widespread malware campaign
According to Gleicher and Dvilyanski, APT32 operated on Facebook by creating accounts and pages for fictitious personas, usually posing as activists or business entities.
Using romantic or other lures, the group would often share links with their targets to various domains they either hacked or operated themselves.
The links would usually lead to phishing or malware, or would even include links to Android apps that the group had managed to upload on the official Play Store, allowing them to spy on their victims.
Based on its insights into this campaign, Facebook said the group targeted entities such as:
- Vietnamese human rights activists locally and abroad
- Foreign governments, including those in Laos and Cambodia
- Non-governmental organizations
- News agencies
- and, businesses across information technology, hospitality, agriculture and commodities, hospitals, retail, the auto industry, and mobile services
Facebook said that besides taking down the group's accounts and pages, they have also blocked the group's domains,