Information about operation Cobalt Kitty

In this APT, the threat actor was very aware of the risks of exposure and tried to combat attribution as much as possible. This is often the case in this type of large-scale cyber espionage operations. At the time of the attack, there weren’t many classic indicators of compromise (IOCs) that could lead to attribution. However, at the same time, the threat actors behind Operation Cobalt Kitty left enough “behavioral fingerprints” to suspect the involvement of the OceanLotus Group (which also goes by the names APT-C-00, SeaLotus and APT32), which was first documented by Qihoo 360's SkyEye Labs in 2015 and further researched by other security companies, including FireEye’s report. Reports of the group’s activity in Asia date back to 2012, attacking Chinese entities. Over the years, the group was observed attacking a wide spectrum of targets in other Asian countries (Philippines and Vietnam). Cybereason concludes that the tactics, techniques and procedures (TTPs) observed throughout operation Cobalt Kitty are consistent with the group’s previous APT campaigns in Asia.