Hackers either working for the Vietnamese government or on their behalf have broken into the computers of multinationals operating in the country as part of an increasingly sophisticated cyber-espionage campaign, cyber-security company FireEye said.
Nick Carr, senior manager of FireEye’s Mandiant Incident Response team, said in an interview the same group was also responsible for hacking into the computers of Vietnamese dissidents and journalists.
He said it was impossible to identify or locate the hackers precisely or confirm they were working for the Vietnamese government, but the information they sought would be of very little use to any other party.
The attacks are unrelated to the WannaCry ransomware worm that has ravaged computers around the world since Friday.
“All the activity we have seen is of interest to the nation of Vietnam,” Carr said in a phone interview ahead of Monday’s publication of a FireEye report on hacking in Vietnam.
The government rejected the accusation.
“The government of Vietnam does not allow any form of cyber-attacks against organisations or individuals,” said foreign ministry spokeswoman Le Thi Thu Hang. “All cyber-attacks or threats to cyber-security must be condemned and severely punished in accordance with regulations and laws.”
Carr said FireEye had observed the group, which it called APT32, targeting foreign corporations with interests in Vietnam’s manufacturing, consumer products and hospitality sectors since 2014.
In several cases, he said, the hackers sought information about the companies’ operations and their adherence to local regulations, something he had rarely seen other hacker groups attempt.
Victims included a German manufacturing company about to build a factory in Vietnam, a Chinese hotel developer planning to expand its operations in the country, and the local office of a British-based global consulting firm.
He said in most cases the companies were household names. He declined to identify them, citing client confidentiality. Executives, human resources and finance staff were targeted, he said.
The report marks the first time a cybersecurity company has pointed to Vietnam as the source of state-motivated cyber-attacks. It is also the first time FireEye had assigned the label APT – standing for advanced persistent threat, a term usually reserved for state-sponsored hacker groups – to a group outside China and Russia.
Robert Trong Tran, who directs PwC (PricewaterhouseCoopers) cyber-security services business in Vietnam, said before the publication of the report that he was not aware of any cases of European companies being hacked.
PwC declined to comment on the FireEye report.
Amanuel Flobbe, chairman of the Vietnam European Chamber of Commerce’s Information and Communications Technologies committee, said that while European companies in Vietnam had been damaged by hackers, it was no different to hacks seen elsewhere.
Vietnam has long been vulnerable to hacking, both criminal and politically motivated. In January, Microsoft listed it behind only Mongolia of countries infected with malware, with more than double the worldwide average.
Carr said the hackers “could do a lot of damage or could have a lot of impact on the organisations’ competitive advantage, their ability to successfully navigate investigations and regulations.”
In the case of the German manufacturer, he said, “one would suspect the timing isn’t coincidental and the government has an unfair advantage.”
The same group was responsible for earlier attacks on local and foreign journalists, as well as dissidents and the Vietnamese diaspora in Australia and Southeast Asia, he said.
It was the same group that Chinese cybersecurity company SkyEye Labs called OceanLotus in 2015, Carr said.
SkyEye, a part of Internet company Qihoo 360, wrote that the group was behind attacks on Chinese government agencies, research institutes and companies. It did not identify Vietnam as the source of the attacks.
SkyEye did not respond to requests for comment.
Carr said that his own research confirmed it was the same group, but that he didn’t have any recent evidence that APT32 continued to target China.
The group is also linked to attacks on journalists, activists, dissidents and bloggers in Vietnam reported by the Electronic Frontier Foundation in 2013. It has also targeted Vietnamese overseas and broke into the computers of a Western national parliament, Carr wrote in the report.
Vietnamese media organisations have also been targeted, he said.