Type: Nation-State-Sponsored

OceanLotus APT Status: Inactive

Other Names: APT32

Active Since/Discovered: 2012/ 2015

Last Report: June 3, 2015

Targets:

• • 92% of targets are in mainland China and Beijing

Target Sectors:

• maritime institutions, shipping enterprises, Chinese government departments, and research institutes

Malware:

• Custom OceanLotus Trojan
  • Over 100 samples planted on computers in 29 Chinese provincial regions and 36 countries

Preferred Attack Vector: Phishing emails and watering hole attacks

Unique:

• • Stolen documents had little commercial value
  • Group is persistent and highly organized
  • China believes OceanLotus may be U.S. based
    • Could be based out of any country fighting with China over the South China Sea
    • Could also be a self-targeted campaign (false-flag) meant to dissuade allegations that China is a major cyber-threat sponsor (via “look we were hacked too”)