Oceanlotus APT

Type: Nation-State-Sponsored

OceanLotus APT Status: Inactive

Other Names: APT32

Active Since/Discovered: 2012/ 2015

Last Report: June 3, 2015


    • 92% of targets are in mainland China and Beijing

Target Sectors:

  • maritime institutions, shipping enterprises, Chinese government departments, and research institutes


Preferred Attack Vector: Phishing emails and watering hole attacks


    • Stolen documents had little commercial value
    • Group is persistent and highly organized
    • China believes OceanLotus may be U.S. based
      • Could be based out of any country fighting with China over the South China Sea
      • Could also be a self-targeted campaign (false-flag) meant to dissuade allegations that China is a major cyber-threat sponsor (via “look we were hacked too”)