Facebook has connected the 'Ocean Lotus' hacking group to an IT firm operating out of Ho Chi Minh City.

In a chat with me today (over FB) the firm insisted that wasn’t true.

“We are NOT Ocean Lotus,” they said.

Story by ⁦@jc_stubbs⁩ & @pearswick reut.rs/2KdbDo2
Ocean Lotus doesn’t get the same press as Chinese, Russian, or North Korean hacking groups but they’ve posed particular menace to Vietnamese exiles. Would love to learn more about this particular actor.
Here’s Facebook’s blog post on the group — and some IOCs:
about.fb.com/news/2020/12/t… Image
Before it was taken offline, I got through to the person running CyberOne’s Facebook page. They had some interesting things to say when I asked them if they ever participated in offensive operations. Image
In a conversation — apparently tapped out over the phone — the CyberOne representative denied working for the Vietnamese government. Image
They also sent me an ALL-CAPS denial that they were behind Ocean Lotus — at one point dangling the possibility that they could collaborate with @Reuters to investigate the group. Image
I lost touch with the representative — who identified themselves as Hải — when Facebook yanked CyberOne’s account mid-conversation.

Hải, wherever you are, I’m still up for chatting. DM me and we’ll get to the bottom of this. Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Raphael Satter

Raphael Satter Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @razhael

13 Dec
Huge scoop from ⁦@Bing_Chris⁩: the US Treasury and the US NTIA have been breached by hackers. A foreign government is suspected and the National Security Council met Saturday to discuss the fallout. reut.rs/3oP3FAs
Just got this from @solarwinds:

reut.rs/2IJw7V1 Image
Read 8 tweets
22 Oct
Here's the @Reuters story on today's hastily convened press conference blaming Iran for the 'Proud Boys' email threats.
reuters.com/article/us-usa…

I note these paragraphs in particular:
As Dimitri - who knows a thing or two about publicly blaming a foreign power for election cyber mischief! - notes, this was a *blisteringly* fast attribution:
I dunno what the evidence is - it hasn't been made public - so maybe there's a slam-dunk somewhere.

As many have noted, Iranian cyber ops aren't exactly watertight & Tehran-linked hackers regularly make disastrous mistakes. wired.com/story/iran-apt…
Read 4 tweets
6 Aug
A quick thread on this and why several Iranians I spoke to said this stunt was confusing and potentially dangerous ↘️
To start with, the message was unsolicited and came in the middle of the night — around 1am Iran time — according to several recipients I spoke too. The gut feeling many had when they saw the SMS was that they were being targeted by hackers. Here’s one reaction: ↘️
Here’s another ↘️
Read 8 tweets
15 Jul
New: A deepfake disinformation operation is targeting UK lawyer Mazen Masri and Palestinian rights campaigner Ryvka Barnard - a sign of how this technology is being popularized as a propaganda-spreading tool.
reuters.com/article/us-cyb…
New: We're releasing a potted guide to recognizing GAN-created imagery in the wild, with input from @MuniraMustaffa, @HaoLi81, and others. Read it to understand how we determined Oliver Taylor was a fake - and how you can spot similar creations. graphics.reuters.com/CYBER-DEEPFAKE…
As far as I can tell, Oliver Taylor's writing career began late last year with a (now-deleted) article in the Jerusalem Post on Malaysia's Mahathir Mohammad web.archive.org/web/2020050521…
Read 12 tweets
26 Nov 19
There's some NSO news today, but I'd like to enlist Twitter's help to find more. Here's how you can pitch in:

About a month ago, WhatsApp began issuing messages to 1,400 targets of Pegasus spyware, sending in-app "green badge" warnings to users. Here's what they look like:
Several people in India and Morocco have since come forward to self-identify as targets of NSO spyware. But we believe there are more out there haven't made themselves known and we'd like to speak to them. If you know of anyone who has received this warning, we're keen to talk:
-@Reuters has also collected pictures of what the "missed calls" associated with the spyware targeting look like. If you or anyone you know has seen this kind of activity, I encourage you to get in touch.
Read 4 tweets
17 Oct 19
I’m at a press conference on how #GDPR is frustrating US law enforcement efforts online. DEA’s Jae Chung and DOJ’s Jason Gull speaking now.
Gull: “WHOis is turning into WHOwas ... We have information on who owned a domain six months ago, or a year ago now. It’s like having an old phone book.”

Problematic for urgent requests to preserve data in investigations.
Gull notes that WHOis was always problematic — full of false information and outdated information. He said about 1/4 of all entries were proxied through privacy services, but that many were very cooperative. Now the process of sending requests to preserve evidence is slower.
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!