from Net Politics and Digital and Cyberspace Policy Program

Frustrated with the Philippines, Vietnam Resorts to Cyber Espionage

June 08, 2017

Philippines' President Rodrigo Duterte (L) shakes hands with Vietnamese Prime Minister Nguyen Xuan Phuc as they meet at Phuc's Cabinet Office in Hanoi on September 29, 2016 POOL New/Reuters
Blog Post

More on:



Miguel Gomez is a senior researcher at the Center for Security Studies and Brandon Valeriano is a reader at Cardiff University, the Donald Bren Chair of Armed Politics at the Marine Corps University, a fellow at the Niskanen Center, and author of Cyber War versus Cyber Realities on Oxford University Press.

The recent disclosure that an Advanced Persistent Threat (APT) operating out of Vietnam covertly released the transcript of talks between the Philippine President Rodrigo Duterte and the United States’ Donald Trump sheds light on an often overlooked cyber actor in the region. The recent disclosure suggests Vietnam is becoming a disruptive regional force in cyberspace.

The appearance of inter-state cyber operations within South East Asia is not surprising given the long-standing, and often territorial, disputes between geographically proximate states. While Vietnam is a known actor in the regional cyber domain, its activity has paled in comparison to China, which undertakes frequent cyber espionage operations against neighbors, including Vietnam. In addition, cyber operations attributable to Vietnam have mainly targeted companies and dissidents – thus letting Vietnam fly under the radar.

What is new and unique is attribution of Vietnamese attacks on Philippine state agencies, which was first reported on May 15. Cyber intelligence firms such as FireEye have attributed these attacks to an actor designated as APT32 (aka OceanLotus Group). The group has been associated with espionage campaigns targeting both foreign governments and local dissidents alike – to an extent mimicking the profile of Chinese operations within this domain.

While no definitive link can be drawn between this group and direct government sponsorship, the alignment between targets and national interest is quite telling and supports the cyber forensic analysis already conducted. While still relying on common techniques such as spear phishing and corrupted Doc files, the hackers’s use of custom-built code suggests they are part of a well-resourced group.

The timing of the documents leak suggests an attempt on the part of the Vietnamese regime (or elements of it) to increase pressure on the Philippines by exposing its warming ties with China. The document disclosure also included notes from a conversation between Duterte and Chinese President Xi Jinping. This rationale is not surprising considering the new president’s conciliatory remarks towards China and his willingness to forgo the advantage gained by the Philippines from the Permanent Court of Attribution in the Hague decision last spring, which weakens the on-going claims by other South East Asian states, including Vietnam.

Nevertheless, even if Vietnam’s motive is evident, what it hopes to achieve is unclear. Is Vietnam trying to shame the Philippines into taking an assertive stance against China? If this is the goal, then the Vietnamese are overlooking the unique characteristics of the current Philippine administration, which has demonstrated an unwillingness to change its policies in the face of external pressure. Duterte’s refusal to curb the excesses of his “war on drugs” despite economic threats (e.g. loss of EU financial aid) reinforces this view.

Perhaps, Vietnam’s goal is simply to sow chaos and distrust – which has been Russia’s objective in recent information operations against the electoral systems of Western democracies. Understood in this context, the burden of response is not on the state, but the society to reject these information disclosures and the more pernicious threat of disinformation. So far, the Philippine public has remained unresponsive to such stimuli and has maintained an overall position of unity against external threats. This outcome calls into question the efficiency of disinformation operations. If the goal of the Vietnamese was to foment outrage in the Philippines and force Duterte to reconsider his position, then proponents of this operation have either failed to understand how the Philippine public would react or have simply poorly timed their disclosure. In this situation, it may have been both.

However, even if ineffective, Vietnam will incur little cost for engaging in cyber operations against neighbors, which is why we can expect them to continue. Despite growing interest in the ASEAN bloc regarding the threat of cyber operations, no mechanism exists to “punish” Vietnam. Similarly, as espionage is considered a routine state behavior, it is unlikely that its neighbors would reprimand Vietnam. Finally, the fact that ASEAN members, in general, are characterized as having limited defense capabilities in cyberspace, publicly criticizing Vietnam may invite future retaliation through cyberspace that other members may wish to avoid.

Creative Commons
Creative Commons: Some rights reserved.
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) License.
View License Detail