Dark Pink, Ocean Buffalo: Hackers and cyber-espionage in SEA

A lack of bloodshed doesn’t mean an absence of war. 

For the past two years, a cyber conflict has quietly boiled across the Asia Pacific region. At the centre of the virtual fighting is a shadowy figure: known to some as Ocean Buffalo or to others as Dark Pink. Not to be mistaken for the K-pop group with a similar name, the enigmatic hacker group has been targeting government and military agencies mainly in Southeast Asia but also as far away as eastern Europe. 

“Every attack starts from a human,” said Dmitry Volkov, CEO and co-founder of the global cybersecurity provider Group-IB, a private firm that works with national authorities and groups such as Interpol. 

The company has been tracking the hacks and came up with the Dark Pink codename. The use of such names is a common practice in the cybersecurity sector, where analysts caution there’s seldom any true certainty in nailing down organisations that exist only as digital shadows. 

Since the hacker organisation’s attacks gained public attention in June 2021, the perpetrators have infiltrated 13 entities, mostly in Southeast Asia. This spree targeted government agencies in Brunei, Cambodia, Indonesia and Bosnia and Herzegovina; military bodies in Malaysia, the Philippines and Thailand; and religious groups, non-profit organisations and educational institutions in Vietnam and Belgium.

The latest moves triggered major concerns among international cybersecurity experts who say the scope of the attacks might be much broader than they originally thought. 

But analysts also say the group is just one of many engaged in constant, simmering cyber-espionage campaigns across the region and beyond. As the world increasingly goes digital, both criminal groups and national intelligence organisations alike have pushed fast-developing techniques to more efficiently break down defences, steal information and carry out attacks of real-world significance. Sometimes, as with Dark Pink or Ocean Buffalo, the line between rogue groups and officially sanctioned activities is blurry as can be.

“There’s a lot of sensationalising around it,” Aaron Ng, senior systems engineer at CrowdStrike, another global cybersecurity firm that came up with the Ocean Buffalo name. “At the core, it is really just an extension of spycraft evolving with the times. Like a business adopting digital technologies, spying organisations across the world also have to follow the trend.” 

According to Group-IB, Dark Pink seems to follow that pattern. The entity’s latest intrusion was detected in May, showing no sign of an end to its espionage campaign.

“Dark Pink has a strong focus on military organisations,” Volkov said. “They want to get military secrets and we need to think a few steps ahead if we want to catch who’s behind these attacks.”

They started off primarily as an instrument of the state.

Aaron Ng, CrowdStrike

But while the group gained publicity as Dark Pink only two years ago, there are hints that suggest its true origins could extend much further back. Threat intelligence at CrowdStrike reported the group’s attacks bear a very close similarity to the activities of what they’ve been referring to as Ocean Buffalo, a hacker entity that has likely been working since 2012. CrowdStrike believes the earlier-detected group is likely connected to the Vietnamese government – and maybe only recently turned outwards into the rest of the world.

“We have been tracking these intrusion activities for so many years, but we attribute the intrusions to the group Ocean Buffalo,” said Ng. “Ocean Buffalo has been around for more than a decade now and they started off primarily as an instrument of the state to perform domestic surveillance.”

According to Ng’s experience researching the group’s activities, Ocean Buffalo’s modus operandi matches with that of what Group-IB is tracking as Dark Pink. As earlier research already confirmed that Ocean Buffalo was Vietnam-originated, CrowdStrike has strong reasons to believe that so is Dark Pink.

The inherently secretive nature of digital espionage helps give cover to such organisations as they evolve and expand their reach. Even if groups such as CrowdStrike are confident about the origins of Ocean Buffalo, national cybersecurity authorities in Southeast Asia are still investigating the nature of Dark Pink. The group’s attacks were mostly carried out through sophisticated custom malware and “spear-phishing” emails aimed at specific users. 

Both experts explained that cyberattacks almost always begin with gathering information on the data potential and internal procedures of the targeted organisation.

While Ocean Buffalo may have Vietnamese roots, Ng believes the vast majority of today’s cyberattacks across Southeast Asia are carried out by groups from China for the purposes of intelligence gathering and economic espionage.

“That often means collecting information that would help them with better foreign policy decision-making and that fits the Chinese communist regime’s agenda,” he said. “For example, gathering information about dissidents who live abroad.”

Ng added that he saw a correlation between the Chinese governments five-year policy plan and the nature of the intellectual property threats happening in the cyber-realm. He also pointed to the conflicting interests of China and Vietnam in the disputed South China Sea as another thread carrying over into the digital world.

“Intelligence is inherently political,” Ng said. “The countries would collect information that would help them with better foreign policy decision-making.”

While sharing similar perspectives on the reasons behind cyberattacks, Group-IB refrained from calling out any specific country. However, they linked the early intrusions by Dark Pink to a sequence of attacks in Vietnam and Indonesia in mid-2021. 

The hacking group was seemingly inactive throughout the second half of last year. But Group-IB was later able to link several attacks on government institutions in Indonesia, Malaysia and Thailand to Dark Pink using digital evidence gathered through the analysis of past infection chains.

“We identified Dark Pink attackers in their early stage, information gathering,” Volkov said. “That’s why we are motivated to follow their steps and find them before they get a command to disrupt some kind of military operations in the Asia Pacific region.”

What is most concerning, according to Group-IB, is that once the threat group gains access to its target, it can remain undetected and control the conquered cyberspace.

Threats are similar everywhere, but the devil is in the details

Dmitry Volkov, Group-IB

Whoever is behind Dark Pink is clearly skilled in keeping their activities original enough to remain active while getting away with their crimes. 

According to malware analysts at Group-IB, Dark Pink uses spear-phishing to gain initial access and tricks users into opening a file that looks like it’s from Microsoft Word but is really a virus. 

The group also uses the off-the-shelf commercial programme Microsoft Build to launch a highly advanced form of malware called KamiKakaBot, which can control devices and steal sensitive information while evading detection by anti-virus software. Through commands from a Telegram channel, hackers can use this tool to intercept key data by placing their attack between an infected system and the targeted institution. 

The use of the well-known Microsoft Build and a popular communication platform such as Telegram makes it even more difficult to diagnose and prevent these attacks. 

Speaking generally, Volkov said organisations should take measures to protect their systems and users from such attacks, such as educating employees on the risks of spear-phishing. He also said countries should invest more on a national level to train experts who can stay up-to-date on the rapidly evolving cybersecurity landscape.

“Threats are similar everywhere, but the devil is in the details,” he said. “We need to understand how exactly these threat factors are able to bypass different security control systems. Without this knowledge, it is impossible to develop the right protection technologies and respond effectively to cyber threats.”

Given the persistent, international threat posed by groups such as Dark Pink and Ocean Buffalo, the analysts who spoke to Globe said it was crucial for governments and international organisations to stay ahead of the curve in the digital arms race.

“This is the reason why threat intelligence exists,” said Volkov. “We try to understand what happens in one region, then structure the collected information and share it with the rest of the world so other regions can be prepared in advance.”