Vietnamese Hacker Group Targets Chinese Government

Updated: May 7

On April 22, 2020, FireEye, a cybersecurity company, quietly released a report indicating that a state-backed hacker group in Vietnam had targeted agencies of the Chinese government in an intelligence collection operation, "From at least January to April 2020, suspected Vietnamese actors APT32 carried out intrusion campaigns against Chinese targets that… [were] designed to collect intelligence on the COVID-19 crisis." The action highlights the reality that Vietnam warily eyes its Chinese neighbor, and may be willing to increase action against it if its own interests are threatened.


According to FireEye's report, APT32 carried out a series of intrusions by targeting the email accounts of staff at China’s Ministry of Emergency Management, an organization similar to the US Federal Emergency Management Agency, and Wuhan's municipal government. The Ministry has been the venter of the central government's response to COVID-19, while officials in the municipal government have been accused of covering up the spread of the virus in its early stage.


On April 23, Ngo Toan Thang, deputy spokesperson for Vietnam’s Ministry of Foreign Affairs fiercely denounced FireEye's claim, "This accusation is unfounded. Vietnam strictly prohibits cyberattacks targeting organizations and individuals in any form.” The evidence, however, paints a different story.


The first attack reportedly occurred on January 6, 2020, nearly two full weeks prior to the Chinese government announcement that COVID-19 indeed spread through human-to-human transmission. It came in the form of an email that contained spear-phishing messages, which then informed the hackers if the email was opened. If the targets opened the email, attachments and links containing a virus called METALJACK were then sent to the target, which gives the hackers access to the victim's computer. The subject of the email, 第一期办公设备招标结果报告, translates roughly to, "Report on the first quarter results of office equipment bids."



The news of this event went largely unreported in the media. Traditional news agencies claim that the evidence connecting the cyber attack to the Vietnamese government is inconclusive, and if they did indeed carry out the intrusion, their rationale behind the attack makes little sense. Such a claim, however, fails to take into account all the factors that were being weighed by the Vietnamese government at this time.


Vietnam has proven adept at collecting intelligence on their neighbor to the north. For years, Hanoi has sought to keep themselves apprised of Beijing's actions and motivations, especially in the South China Sea. It mainly does this through human intelligence (HUMINT) and signals intelligence (SIGINT). As a result of its existing intelligence infrastructure, it isn't entirely out of the question that the Vietnamese government began to develop intelligence the spread of the virus as early as November 2019. Due to its close proximity to China, and the amount of travel and trade activity that occurs between the two countries, Vietnam would obviously have a high level of interest in determining the lethality of COVID-19, its means of transmission, and its likely impact on Vietnam itself.


The People's Republic of China's official story, that the situation was under control and that there was not human-to-human transmission, would not have lined up with the intelligence Hanoi was reviewing, and as a result, Vietnamese intelligence agencies would have been given the mission of collecting information on the pathogen by any means necessary, including through open-source collection and more forceful measures. Thus, on January 6, 2020, state-backed hacking group APT32 conducted its first cyber intrusion against China’s Ministry of Emergency Management and the Wuhan city government.


  • Twitter
  • Instagram
  • White Facebook Icon
  • White YouTube Icon