Written by Chris Bing

A leaked transcript of a phone conversation between President Donald Trump and his Philippine counterpart was available online for weeks before surfacing in news reports, and it now appears to be just one of a series of sensitive Philippine government documents acquired by a hacker group with suspected ties to the Vietnamese government, according to research conducted by multiple cybersecurity experts and evidence gathered by CyberScoop.

On May 15, eight days before either The Intercept or the Washington Post reported about the transcript of Trump’s call with President Rodrigo Duterte, someone uploaded what appears to be the same document to the repository VirusTotal along with malicious email attachments. How The Intercept and the Post originally obtained their own copies of the Trump-Duterte transcript — which unnamed U.S. officials confirmed as authentic — remains unclear.

The leak appears to be bigger than just one document. Included in the dump were notes regarding a conversation between Duterte and Chinese President Xi Jinping, briefing notes for a call between Philippine government officials and a U.S. senator, and internal documents tied to the Philippine National Security Council.

The files have signs of originating from the same two sources, as indicated by VirusTotal submitter metadata examined by CyberScoop. Cybersecurity researchers have linked that information to an advanced hacking group: OceanLotus, also known as APT32, a unit attributed to the Vietnamese government by several U.S.-based cybersecurity companies.

The sources are associated with attacker documents that provide digital forensic evidence indicative of APT32 activity, according to Nick Carr, a senior manager for Mandiant Incident Response at FireEye.

“We’ve observed several connections between some of these lure documents and APT32. The lures predate the recent public reporting on the APT32 malware contained in some of them,” Carr said. “They are also linked to known APT32 sources. Their likely targets are consistent with previous APT32 targets.”

CyberScoop has not been able to confirm the files’ authenticity, but dates on the documents do coincide with public reporting of related recent diplomatic meetings. Carr refers to them as “lures” because they could have been used to entice a recipient to open a malicious attachment.

A leak, deciphered

Recent cyber-espionage by Vietnam against the Philippines could be driven by the rise of Duterte, said Amy Chang, an affiliate of the Harvard Belfer Center’s Cyber Security Project. The Philippine leader is known for his abrasive style and authoritarian tactics, potentially putting him at odds with other leaders in the Association of Southeast Asian Nations, or ASEAN, a 10-member diplomatic cooperation group that includes Vietnam, but not China. Vietnam, the Philippines and China all have high-stakes interests in the South China Sea.

The group “functions by consensus, and has for years been pushing for a solution to the South China Sea conflicts,” said Chang, a former staff director of the Asia and the Pacific Subcommittee at the U.S. House of Representatives’ Committee on Foreign Affairs.

“Vietnam could feasibly be concerned about President Duterte disrupting an ASEAN-coordinated solution to the South China Sea, or that any negotiated settlement between the Philippines and China jeopardizing Vietnam’s interests in their own territorial disputes in the region,” Chang explained. “Duterte, often known for his iconoclastic and outspoken viewpoints, has indicated during his presidency that he would be willing to enter bilateral negotiations with China.”

In addition to the Trump-Duterte transcript, at least four other uploaded files, all PDFs, appear to be leaked Philippine government documents, and most of them are marked “CONFIDENTIAL” or “SECRET.” (English is one of the nation’s official languages.) It is unclear why the documents were originally posted to VirusTotal.

“Threat actors do sometimes store their lures in places they may be found, whether that’s on social media, security sites or elsewhere,” Carr said.

Given the relatively small number of documents, it’s possible that a hacker made multiple operational mistakes. Posting intelligence on a public forum could have been mere sloppiness.

All of the files were still on VirusTotal as of Wednesday afternoon. The four other documents posted include:

Briefing notes for a private conversation between Duterte and Chinese President Xi Jinping concerning North Korea

Briefing notes for an upcoming courtesy call between Philippine government officials and U.S. Sen. Cory Gardner

Presidential situation room reports written by the Philippine National Security Council

A layout diagram for a recent ASEAN conference

The document related to the conversation with Gardner was uploaded to VirusTotal on May 31. The document itself is also dated May 31 and contains references to North Korea’s missile development program and the global war on drugs. A Gardner staffer declined to confirm whether the senator was planning to have such a call with Philippine officials.

Chinese news media independently confirmed on May 3 that Xi and Duterte had spoken by phone just a few days after the now-infamous Trump-Duterte conversation. The briefing notes for this call were uploaded to VirusTotal on May 15 by one of two related submitter IDs, the same day as the Trump transcript. The content of the Duterte-Xi conversation was not public previous to this report.

The U.S. State Department, Vietnam’s Ministry of Foreign Affairs and the Philippines’ Department of Information and Communications Technology did not respond to a request for comment.

‘Strong attribution here’

Each attachment was similarly uploaded from a computer based in Vietnam. The Trump-Duterte transcript was uploaded twice on the same day by the same source.

“The documents and phishing samples highlighted here align with well known OceanLotus TTPs [Tactics, Techniques and Procedures]. There is strong attribution here to Vietnam,” said Blake Darché, co-founder of U.S. cybersecurity firm Area 1 Security. “While apparently effective, it appears as if OceanLotus has very poor operational security.”

CyberScoop provided Darché, a former NSA analyst, with copies of the forensic evidence for independent analysis to reaffirm FireEye’s findings. He similarly concluded that the available artifacts pointed to an expansive cyber-espionage operation conducted by OceanLotus, aimed at a target with access to Philippine government documents.

OceanLotus has been known to conduct missions against valuable corporations, foreign governments, dissidents and domestic journalists since at least 2014, according to research conducted by FireEye.

In addition to uploading the foreign policy documents, the two aforementioned submitter IDs have uploaded a trove of weaponized MIME HTML files and Microsoft word documents — a favorite tactic of OceanLotus typically deployed within phishing emails to compromise a victim — to VirusTotal in recent months.

Hackers sometimes upload malicious computer code to VirusTotal in an effort to test whether a specific attack could be detected in a targeted network environment.

The sign of a broader cyber-espionage effort against the Philippines effectively underscores how the invisible battlefield of nation-state hacking goes well beyond highly industrialized nations. Carr and other foreign policy experts noted the high level of geopolitical tension across Asia at the moment.

“Governments tend to seek out information to alleviate uncertainty, and they increasingly collect it through cyber-espionage operations,” Carr said.

You can view each of the documents below: