{
	"id": "322766ac-dfab-403a-8d46-4a5a1ed9f599",
	"created_at": "2026-04-06T01:31:49.354392Z",
	"updated_at": "2026-04-10T03:35:58.71537Z",
	"deleted_at": null,
	"sha1_hash": "677ec9279f9b0f333d2cbe6b48ad404bd192fc02",
	"title": "Vietnamese hackers trigger software trap after Australian sale of newspaper in Cambodia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1827914,
	"plain_text": "Vietnamese hackers trigger software trap after Australian sale of\r\nnewspaper in Cambodia\r\nBy Liam Cochrane\r\nPublished: 2018-05-15 · Archived: 2026-04-06 00:51:04 UTC\r\nA Vietnamese state-linked hacking group has used a Cambodian newspaper website to attack a local human rights\r\norganisation, according to a leading cyber security firm.\r\nThe attack started just days after Australian mining magnate Bill Clough sold the newspaper to Malaysian spin\r\ndoctor Sivakumar Ganapathy, who specialises in \"covert PR\".\r\n\"Since last Tuesday [May 8], computers in our office were targeted by a malicious piece of code when we visited\r\nthe Phnom Penh Post website,\" said Naly Pilorge, director of Licadho — one of Cambodia's leading human rights\r\ngroups.\r\n\"We have taken precautions to defeat the targeted attack,\" Ms Pilorge told the ABC.\r\n(L-R) West Australian mining magnate and former owner of the Phnom Penh Post, Bill Clough,\r\nwith then editor-in-chief Kay Kimsong and finance director Heang Tangmeng. (Supplied:\r\nFacebook)\r\nSo-called \"watering hole\" attacks use popular websites to select targets and then direct specific malware attacks at\r\nthem.\r\nhttps://www.abc.net.au/news/2018-05-15/hackers-trigger-software-trap-after-phnom-penh-post-sale/9763906\r\nPage 1 of 5\n\nLicadho staff visiting the site are redirected to a fake Google page about privacy and then to a page called\r\nGTransfer which asks for permission to \"read, send, delete and manage your email\" and \"view your contacts\".\r\nAs of Tuesday afternoon, the attack attempts were still happening for Licadho staff.\r\n\"In this instance we're pretty confident that this is being carried out by a group we track as APT32,\" said Ben\r\nWilson, a Canberra-based threat intelligence analyst with cyber security firm FireEye.\r\n\"They are what we believe to be a Vietnam-based nation state group that are acting in the interests of Vietnam's\r\npolitical interests,\" Mr Wilson told the ABC.\r\nFirst the attack tricks users into providing their Google account data. (ABC News)\r\nhttps://www.abc.net.au/news/2018-05-15/hackers-trigger-software-trap-after-phnom-penh-post-sale/9763906\r\nPage 2 of 5\n\nThen it asks whether you will allow GTransfer access to your Google account. (ABC News)\r\nAPT32 has targeted foreign governments, as well as Vietnamese dissidents and journalists for at least five years.\r\nSince 2014, FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam's\r\nmanufacturing, consumer products and hospitality sectors.\r\nThis particular malware campaign by APT32 is believed to have started in late 2016 and is the first state-linked\r\nhacking outfit identified by FireEye that is not Chinese or Russian.\r\n\"This kind of selective targeting allows the actors to stay under the radar a bit longer, you're less likely to tip off\r\nsomeone [than] if they're just redirecting all visitors to these websites to a malicious location,\" said Mr Wilson.\r\nFireEye first detected the Phnom Penh Post had been compromised in November 2017.\r\nUsing Wayback Machine — a research tool that allows a snapshot of webpages as they existed on certain dates —\r\nit is clear that malicious 'eval()' code used to trigger the targeted attack was added to the Phnom Penh Post website\r\non or around May 8.\r\nMalware attack comes ahead of national election\r\nCalls to six different numbers listed on the Phnom Penh Post website went unanswered on Tuesday.\r\nThe ABC has contacted Sivakumar Ganapathy via his company Asia PR, and his lawyer Ly Tayseng, but there\r\nwas no response at time of publication.\r\nhttps://www.abc.net.au/news/2018-05-15/hackers-trigger-software-trap-after-phnom-penh-post-sale/9763906\r\nPage 3 of 5\n\nSivakumar Ganapathy (right) with Philip Mills who heads AsiaPR's presence in Phnom Penh.\r\n(Facebook)\r\nNegotiations between Bill Clough and Sivakumar Ganapathy over the sale of the newspaper were already\r\nunderway in November 2017, when early stages of the malware were detected.\r\nThe ABC has no evidence the former or current owners of the Post were aware of the malicious software\r\nimplanted into the paper's website.\r\nA spokesman for the Vietnamese Government had not responded at time of publication, but Hanoi has previously\r\ndenied similar allegations.\r\nIn a New York Times story about cyber-attacks in Asia and Europe, spokeswoman for the Vietnamese Foreign\r\nMinistry Le Thi Thu Hang called the findings of a previous FireEye report \"groundless\".\r\nVietnam \"does not allow cyberattacks on organisations or individuals,\" she told the New York Times in May 2017.\r\nAustralian security researcher Troy Hunt said getting access to email is particularly valuable for hackers.\r\n\"It tends to be the skeleton key for all your other accounts, so if someone can get access to your email they usually\r\nhave the ability to go through and reset passwords on other accounts,\" said Mr Hunt.\r\nHe said there were some obvious warning signs that GTransfer was bogus, including its website having the\r\ncontact the email \"some.email@somewhere.com\".\r\n\"It certainly looks dodgy,\" said Mr Hunt.\r\nThe malware attack comes in the lead-up to a national election in Cambodia on 29 July.\r\nhttps://www.abc.net.au/news/2018-05-15/hackers-trigger-software-trap-after-phnom-penh-post-sale/9763906\r\nPage 4 of 5\n\nHun Sen — who was placed into power by Vietnam in the 1980s and has been Prime Minister for 33 years — has\r\nthreatened civil war if his Cambodian People's Party is not re-elected.\r\nOn Hun Sen's request, courts have outlawed the main opposition party, locked up its leader on treason charges and\r\nbanned 118 opposition MPs from politics for five years.\r\nThe increasingly-authoritarian leader has also attacked the media.\r\nBoth the Phnom Penh Post and The Cambodia Daily were hit with multi-million-dollar tax bills.\r\nThe Daily was forced to close last year, and the Post's sale earlier this month was immediately followed by\r\neditorial interference by the new Malaysian owner and the departure of 14 staff.\r\nCrucially, for Cambodia's mostly-rural population with low literacy, Hun Sen closed down 32 radio frequencies\r\nwhich broadcast independent news.\r\nDisclosure: Liam Cochrane worked at the Phnom Penh Post as a journalist in 2004 and as the managing\r\neditor in 2005.\r\nSource: https://www.abc.net.au/news/2018-05-15/hackers-trigger-software-trap-after-phnom-penh-post-sale/9763906\r\nhttps://www.abc.net.au/news/2018-05-15/hackers-trigger-software-trap-after-phnom-penh-post-sale/9763906\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.abc.net.au/news/2018-05-15/hackers-trigger-software-trap-after-phnom-penh-post-sale/9763906"
	],
	"report_names": [
		"9763906"
	],
	"threat_actors": [
		{
			"id": "af509bbb-8d18-4903-a9bd-9e94099c6b30",
			"created_at": "2023-01-06T13:46:38.585525Z",
			"updated_at": "2026-04-10T02:00:03.030833Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"OceanLotus",
				"ATK17",
				"G0050",
				"APT-C-00",
				"APT-32",
				"Canvas Cyclone",
				"SeaLotus",
				"Ocean Buffalo",
				"OceanLotus Group",
				"Cobalt Kitty",
				"Sea Lotus",
				"APT 32",
				"POND LOACH",
				"TIN WOODLAWN",
				"Ocean Lotus"
			],
			"source_name": "MISPGALAXY:APT32",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "870f6f62-84f5-48ca-a18e-cf2902cd6924",
			"created_at": "2022-10-25T15:50:23.303818Z",
			"updated_at": "2026-04-10T02:00:05.301184Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"APT32",
				"SeaLotus",
				"OceanLotus",
				"APT-C-00",
				"Canvas Cyclone"
			],
			"source_name": "MITRE:APT32",
			"tools": [
				"Mimikatz",
				"ipconfig",
				"Kerrdown",
				"Cobalt Strike",
				"SOUNDBITE",
				"OSX_OCEANLOTUS.D",
				"KOMPROGO",
				"netsh",
				"RotaJakiro",
				"PHOREAL",
				"Arp",
				"Denis",
				"Goopy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5da6b5fd-1955-412a-81aa-069fb50b6e31",
			"created_at": "2025-08-07T02:03:25.116085Z",
			"updated_at": "2026-04-10T02:00:03.668978Z",
			"deleted_at": null,
			"main_name": "TIN WOODLAWN",
			"aliases": [
				"APT32 ",
				"Cobalt Kitty",
				"OceanLotus",
				"WOODLAWN "
			],
			"source_name": "Secureworks:TIN WOODLAWN",
			"tools": [
				"Cobalt Strike",
				"Denis",
				"Goopy",
				"JEShell",
				"KerrDown",
				"Mimikatz",
				"Ratsnif",
				"Remy",
				"Rizzo",
				"RolandRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775439109,
	"ts_updated_at": 1775792158,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/677ec9279f9b0f333d2cbe6b48ad404bd192fc02.pdf",
		"text": "https://archive.orkl.eu/677ec9279f9b0f333d2cbe6b48ad404bd192fc02.txt",
		"img": "https://archive.orkl.eu/677ec9279f9b0f333d2cbe6b48ad404bd192fc02.jpg"
	}
}