Digital Surveillance and Cyberespionage at Scale

Explore the tactics and operations of OceanLotus, one of the most advanced and pervasive threat groups active today, in this 51-minute RSA Conference talk. Delve into how this sophisticated group manages tracking, exploitation, and command and control operations globally. Discover the likelihood of being unknowingly tracked by OceanLotus and learn how digital surveillance campaigns evolve into full-fledged cyberespionage operations. Gain insights into unexpected origins of advanced persistent threats, examine how APT groups leverage government and NGO websites for targeted attacks, and understand the abuse of legitimate cloud services to bypass security controls. Uncover the group's massive tracking campaign, their use of Scanbox framework, and compromises of high-profile targets like ASEAN and the Philippines National Security Council. Analyze OceanLotus' evolving techniques, including brand impersonation, targeting whitelists, and changes in code and infrastructure. Suitable for those with a general understanding of APT threats, exploits, and spear phishing.

Intro
Introduction & Agenda
Background
Massive Tracking Campaign Uncovered
Volexity's First Run-in
Quick Moving
Scanbox!
MFAIC Cambodia
64-bit Binaries - Leviathan/GreenCrew/APT 40
Lots of Data Collection
ASEAN Compromised
New Framework
Philippines National Security Council (NSC)
Keyloggers
Profiling Framework Victimology
Vietnamese NGOs and Individuals
Interesting Notes
Domains: Brand Impersonation
Targeting Whitelists
High Priority Targets
Mach Song Media with Internet Explorer
Logging In?
Last Chance...
OceanLotus Google Access
Post-blog Activity
Business as usual & Resuming Activities
Mid-to-Late 2018
Changes to Code & Infrastructure
New in 2019
OceanLotus Run Websites
Recap and Final Thoughts
Resources