A hacking group with suspected ties to the Chinese government is engaged in an ongoing and expansive cyber-espionage operation against Vietnamese organizations, according to three different cybersecurity firms.
The campaign’s discovery comes during a period of mounting geopolitical tension due to a territorial dispute related to the South China Sea. China, Vietnam, Indonesia and the Philippines, among other powers, disagree on which country has claim to a collection of resource-rich islands that sit in the middle of an important international trade route.
Cybersecurity firms Votiro, FireEye and Fortinet each obtained phishing emails that were sent to Vietnamese organizations in recent months. Researchers say these emails carried certain forensic indicators, including overlaps in malware and attack servers, that can be traced back to a group previously attributed to Chinese hackers.
The South China Sea dispute represents a longstanding disagreement that dates back years. Foreign policy experts believe the friction may be inspiring cyber-operations designed to collect intelligence.
Some of the malicious Microsoft Word attachments in the phishing emails obtained by the three security firms contain language about a Vietnamese government document, which may suggest that some of the hackers’ original targets were government employees.
Votiro refers to the hacking group behind these recent intrusion attempts as “1973CN.” According to Votiro, 1973CN was also responsible for a targeted, highly-publicized cyberattack against Vietnam Airlines.
“Over the last few weeks, we … uncovered several indicators that were researched and found to be related to a new hacking campaign targeting large Vietnamese organizations,” Amit Dori, an analyst with Votiro, wrote in an Aug. 23 blog post. “This campaign was found to be connected to the same party which previously targeted Vietnam Airlines and some other high profile targets possibly led by the Chinese 1937CN group.”
New research published Tuesday by Fortinet also supports the idea that a Chinese hacking group is likely behind some of the targeted cyber-operations currently affecting Vietnam’s public and private sectors.
Fortinet found hackers were using phishing emails to deploy a sophisticated remote access trojan, or RAT, dubbed “NewCore,” on Vietnamese organizations. The tactic allowed them to remotely spy on infected computers and potentially gain access to connected systems.
The NewCore RAT “may have been derived from the PcClient and PcCortr backdoors whose source codes are publicly available, especially on Chinese language coding forums,” wrote Fortinet researchers Jasper Manuel and Artem Semenchenko. “PcClient was used in the past by some APT groups such as Nitro, which were also linked to a China-based hacker … According to the PDB file string embedded in the NewCore RAT body, the creator of the project is someone using the handle hoogle168.”
“Hoogle168” may be connected to, according to Fortinet, an active user on various Chinese language coding forums that is proficient in C/VC++ and apparently interested in remote controlled software.
In an interview with BuzzFeed, Ben Read, FireEye’s manager of cyber-espionage analysis, said a “high-volume” of phishing emails were being sent by Chinese hackers to Vietnamese organizations. Read also spoke with Reuters about the espionage campaign.
CyberScoop was able to confirm that the malicious cyber-activity mentioned by Read is related to the same operation referenced in subsequent reports by Votiro and Fortinet.
Late last month, a Chinese Foreign Ministry spokesperson named Hua Chunying refuted FireEye’s findings. Chunying told reporters that China “oppose[s]” all forms of cyber-espionage. The spokesperson’s comments were widely mocked on social media.