Skip to main content
Amnesty International UK
Log in

Vietnam: Activists targeted by notorious hacking group - new investigation

Human rights defenders subjected to spyware attacks

Ocean Lotus group suspected of having link to Vietnamese government

Notorious hacking group Ocean Lotus, which has been suspected of having links with the Vietnamese government, is behind a sustained campaign of spyware attacks on the country’s human rights activists, a new investigation by Amnesty Tech has revealed.

The organisation’s Security Lab found technical evidence in phishing emails sent to two prominent Vietnamese human rights defenders showing that Ocean Lotus was responsible for the attacks between 2018 and November 2020.

The hacking group has been repeatedly identified by cyber security firms as targeting Vietnamese political dissidents, foreign governments and companies, indicating an intensifying assault on freedom of expression in the country.

Likhita Banerji, researcher at Amnesty Tech, said:

“These latest attacks by Ocean Lotus highlight the repression Vietnamese activists at home and abroad face for standing up for human rights. This unlawful surveillance violates the right to privacy and stifles freedom of expression.

“The Vietnamese government must carry out an independent investigation. Any refusal to do so will only increase suspicions that the government is complicit in the Ocean Lotus attacks.

“Online freedoms are under unprecedented attack in Viet Nam. Despite these threats, courageous activists continue to stand up for human rights. The relentless repression they face, including targeted cyber-attacks, must end.”

Amnesty’s investigation found that blogger and pro-democracy activist Bui Thanh Hieu was targeted with spyware at least four times between February 2018 and December 2019. The prominent activist had been repeatedly harassed by Vietnamese authorities before he sought sanctuary in Germany, where he has lived since 2013.

Another blogger in Vietnam, who is not named due to security concerns, was targeted three times between July and November 2020.

The Vietnamese Overseas Initiative for Conscience Empowerment (VOICE), a Philippines-based non-profit organisation that supports Vietnamese refugees and promotes human rights, was targeted in April 2020. Former staff members and volunteers for the NGO have also been repeatedly harassed, banned from travelling and have had their passports confiscated upon their return to Vietnam.

All the attacks took the form of emails pretending to share an important document with a link to download a file. These files included spyware for Mac OS or Windows systems. Amnesty’s analysis of the malicious emails showed Ocean Lotus was responsible as they used specific tools, techniques and network infrastructure known to be employed by the hacking group.

Sophisticated capabilities

Ocean Lotus (also known as APT-C-00 and APT32) is responsible for numerous targeted cyber-attacks dating back to at least 2013, targeting different industries, government agencies of neighbouring countries to Vietnam and civil society organisations. It has developed sophisticated capabilities comprising several variants of Mac OS spyware, Android spyware and Windows spyware.

The group is also known to compromise websites of interest to target people who visit the site. More recently, Ocean Lotus was found to have created fake online media websites based on content automatically gathered from legitimate news websites.

The targeting of human rights defenders using digital surveillance technology is unlawful under international human rights law. Unlawful surveillance violates the right to privacy and impinges on the rights to freedom of expression and opinion, of association and of peaceful assembly.

Online repression

Online expression in Vietnam is increasingly being criminalised as part of a wider crackdown on critical voices. Activists are jailed, harassed, attacked, and censored into silence on the basis of vague laws that do not comply with international human rights standards.

In January 2019, a repressive Law on Cybersecurity came into effect in Vietnam, granting the government sweeping powers to limit online freedom, to compel technology companies to hand over vast amounts of data and to censor users’ content.

Amnesty recently documented systematic repression in Vietnam using censorship, physical attacks, criminalisation, and online harassment of activists. The report, Let Us Breathe, highlighted how Facebook and Google are increasingly complicit in the Vietnamese authorities’ censorship regime.





View latest press releases