Self Assessment


Published On : 2023-11-17
Share :


This Southeast Asia Cyber Threat Landscape Report provides a comprehensive overview of the evolving cybersecurity landscape in the region. In recent years, Southeast Asia has witnessed a significant increase in cyber threats, driven by factors such as rapid digitalization, increased internet penetration, and geopolitical tensions. This report aims to provide key insights into the current state of cyber threats, and emerging trends.

The geographical scope of this report: Philippines, Vietnam, Indonesia, Malaysia, Singapore, Thailand

Yet to be updated: Malaysia, Singapore, Thailand

Updated Methodology: This is a running report. Our research team will update this report on an ongoing basis to keep the reader updated on the evolving cyber threat landscape of the region.



Trend: Ransomware attacks on critical infrastructure
Motives: Disruption/Geopolitical/Extortion


Trend: Spyware, malware and plug-ins to collect data
Motive: Reputation impact, disruption, extortion


Trend: Brute force attacks, credential reuse and data exfiltration via malware
Motive: Operational disruption, espionage, IP exfiltration


Trend: social engineering/phishing. jump server Exploits, remote access tool compromise
Motive: Operational disruption, espionage, IP exfiltration


Trend: Device scanning, firmware, phishing/malware download
Motives: Disruption, data harvesting, remote attacks (DDOS)


Trend: Multi-behavioral malware (IT/OT, different operating system
Target: CII trade secrets documents containing proprietary processes


Ransomware attacks have surged across Southeast Asia, targeting both businesses and individuals. Criminal organizations have refined their tactics, often demanding hefty ransoms, posing a significant financial and operational risk.

State-sponsored cyber-espionage and cyber-attacks continue to be a major concern. Regional tensions have escalated the risk of cyber-attacks with political and economic motives.

The supply chain has become a prominent attack vector, with adversaries exploiting vulnerabilities in third-party suppliers to compromise larger organizations. This underlines the importance of robust supply chain security measures.

Internet of Things (IoT) devices and critical infrastructure are increasingly targeted, raising concerns about potential disruptions to essential services and infrastructure.

Phishing attacks remain prevalent, often facilitated through social engineering techniques. Education and awareness campaigns are vital in mitigating these threats.


  • Southeast Asia is a key geostrategic region. It is home to more than 50% of the world’s population and two-thirds of global container trade passes through the region.
  • The rise of China is a major geostrategic issue in the region. China’s claims in the South China Sea and its stance on Taiwan are of particular concern to Southeast Asian countries.
  • Some Southeast Asian countries are looking to the United States for security guarantees against China. However, most countries in the region are taking a more balanced approach, as they rely on China for trade and investment.
  • ASEAN is slowly drifting towards cooperation with the Quad, a security alliance between the United States, Japan, India, and Australia. However, ASEAN is still focused on internal development and is not willing to take a strong stance against China.
  • Taiwan is a potential flashpoint in Southeast Asia. If China were to take military action against Taiwan, it could lead to a wider conflict between China and the United States.
  • State-sponsored threat actors have also been observed targeting entities from countries in Southeast Asia, Japan, Australia, and Taiwan. These attacks are likely motivated by a desire to gather intelligence, disrupt critical infrastructure, or sow discord.


  • With technology supply chain issues, which have risen to the fore as an area of strategic competition between Beijing and Washington, large shares of technological manufacturing previously conducted in China will be distributed to countries within the Asia.
  • This puts further tension on the relations between China and other countries in the region and China will thus have further incentive to use cyber as a tool of statecraft in the region.
  • State-sponsored threat actors have also been observed targeting entities from countries in Southeast Asia. Due to increased tensions between specific countries in Asia, state-sponsored threat actors have targeted countries (including EU member states) that had established closer ties with Taiwan.
  • Countries in Southeast Asia have released national policy and strategy documents to seize the opportunities of the data-driven economy. They are also rolling out 5G technology, which is expanding the attack surface for malicious cyber actors. These actors have targeted governments and businesses in the region, using sophisticated tactics. This rapid digital transformation in Southeast Asia has created new opportunities for businesses and governments. However, it has also made the region more vulnerable to cyberattacks.
  • Southeast Asia is poised to become a major player in the global digital economy. The region has a large and growing population of internet users, and there is a strong demand for digital services. Homegrown tech companies are also innovating and developing new products and services. The rapid growth of the digital economy in Southeast Asia presents a number of opportunities for businesses and governments. However, it also poses some challenges, such as the need to improve cybersecurity and the need to address the digital divide.



Financial Motivation: Indonesia is the largest economy in Southeast Asia and possesses abundant natural resources. This makes it an attractive target for cybercriminals seeking financial gains through activities such as hacking into financial institutions, conducting ransomware attacks, or stealing sensitive financial data.

Political Motivation: Indonesia is the world’s fourth most populous country and has a diverse political landscape. Political motivations for targeting Indonesia could include influencing elections, destabilizing the government, or compromising political figures or organizations.

Geopolitical Motivation: Indonesia’s strategic location in Southeast Asia, along with its large population and economic potential, makes it an important player in regional and global geopolitics. Threat actors with geopolitical motivations target Indonesia to gain a competitive advantage, disrupt regional stability, or gather intelligence.


  • Growth in economic activities in Indonesia especially in various industrial sectors like manufacturing, eCommerce, Travel and Tourism, Infrastructure, Construction, Mining, and Aviation attracts financially motivated threat actors, state-sponsored threat actors, and other threat actors who are interested in data leaks.
  • The surge of eCommerce has been a notable trend, intensifying even more in the post-pandemic era.
  • Russian, Chinese, and North Korean threat actors are actively targeting Indonesian organizations.
  • Cyber-attacks on Indonesian organizations not only do financial and reputational damage but also have a negative impact on attracting investments from potential global investors.
  • Despite government efforts, Indonesia’s digital literacy remains moderate.
  • The South China Sea disputes, involving territorial claims and maritime rights, have become a focal point of geopolitical contention. China’s assertion of sovereignty over a significant portion of the South China Sea has led to territorial tensions with neighboring countries, including Indonesia which will continue to create in chaos in the region.


With Indonesia ambitiously aiming to secure a position among the world’s largest economies by 2030, the manufacturing sector has become an appealing target for cyber threats. Threat actors may seek to exploit vulnerabilities within manufacturing infrastructure for various reasons, including potential economic disruption, theft of intellectual property, or industrial espionage.

Travel and Tourism
The diversity of Indonesia, comprising a huge number of islands, each offering a unique atmosphere, makes it particularly appealing to international travelers. The surge in foreign tourist arrivals further highlights the industry’s resilience following the easing of pandemic restrictions. Threat actors are likely interested in this sector due to its economic importance, the sheer volume of transactions, and the potential for exploiting vulnerabilities in the complex travel ecosystem, including booking systems, personal data records, and payment processes.

With Indonesian airports experiencing a surge in air traffic and the expansion of infrastructure to cater to tourist destinations, the need for robust cybersecurity measures Is crucial to safeguard against potential cyber threats and ensure the resilience of the aviation industry’s operations. The areas of growth highlighted by the International Trade Administration, including enhancements to ground infrastructure, runways, and air traffic systems, present specific points of interest for threat actors seeking to exploit potential vulnerabilities within the aviation sector.

Infrastructure and Construction
The Indonesian government’s substantial investment commitment of $430 billion from 2020 to 2024 amplifies the sector’s significance, making it a focal point for both economic development and potential cyber threats. As outlined in a report by PwC the critical areas of roads, tolls, ports, airports, railways, water, and power plants in Indonesia present significant opportunities for investment but also pose cybersecurity challenges. Threat actors may be drawn to this sector due to the potential for financial gains, the large-scale impact of disruptions to critical infrastructure, and the myriad of interconnected systems susceptible to cyber-attacks.

Indonesia stands as a significant player in the global mining industry, renowned for its substantial production of coal, gold, tin, copper, and nickel. Indonesia’s mining sector is poised to emerge as one of the top potential leading industries within the country. This prominence, however, also attracts the attention of threat actors within the cybersecurity realm. The strategic importance of the mining industry in Indonesia, contributing significantly to the country’s economy, makes it a lucrative target for cyber threats. Threat actors may be interested in exploiting vulnerabilities within the mining sector for various reasons, including potential financial gains, stealing sensitive geological data, disrupting operations, or engaging in industrial espionage.

In the Indonesian threat landscape, the surge of eCommerce has been a notable trend intensifying even more in the post-pandemic era. Dominated by platforms such as Tokopedia and Shopee, online shopping has gained significant traction, with a Deloitte survey indicating that 31% of Indonesians opt for online shopping due to its convenience and practicality. This dynamic eCommerce landscape not only presents opportunities but also presents ample opportunities for cybercriminals to exploit vulnerabilities, engage in data theft for monetization on the dark web, and conduct fraudulent transactions.


The Asia-Pacific region, with its significant population and pivotal role in global trade, is a focal point for geopolitical competition, primarily exemplified by the rivalry between the United States and China. Indonesia, as Southeast Asia’s largest economy, holds a vital position in this landscape, thanks to its economic growth and control of critical sea lanes. This competition is compounded by multifaceted geopolitical threats stemming from complex regional relations, demographic shifts, and climate change.

Notably, China’s ascent as a superpower shapes the key geopolitical concerns in the region, with the South China Sea disputes and the Taiwan issue at the forefront. China’s territorial claims extend to the South China Sea, including Indonesia’s exclusive economic zone in the Natuna Sea. This has led to territorial tensions, with near-armed conflict in 2019 and 2020.

Indonesia’s foreign policy historically emphasizes nonalignment, aiming to balance relations with the United States and China. Recent efforts have seen the mending of relations with China, with growing economic ties and political interactions. Simultaneously, Jakarta maintains strong security ties with the United States.

However, these developments strain relations with China, and as regional countries assert their sovereignty and economic interests, tensions could rise. Cyber espionage activities primarily target government entities but are expected to expand to non-governmental organizations and commercial entities. The Asia-Pacific region houses some of the world’s most active state-sponsored cyber actors, led by China, followed by Russia and North Korea, while India emerges as an aspiring cyber power.

The potential flashpoint in the regional security landscape centers around the Taiwan issue, with cyber campaigns likely preceding any conflict. While overt military confrontations remain unlikely, cyberattacks targeting various entities are projected to increase. Strengthening network security standards and cybersecurity practices is the top priority for businesses, as regional stability and economic prosperity depend on cybersecurity resilience in this volatile geopolitical environment.


We observed 5 campaigns targeting various industries in Indonesia during 2023. Chinese, Russian, and North Korean state-sponsored threat actors are behind most of these campaigns. Here are some details about observed sample campaigns.

Chinese state-sponsored threat actors targeting Indonesia could be motivated by various factors, including economic interests, geopolitical considerations, and regional dynamics. Economic espionage may drive attempts to acquire trade secrets and intellectual property, providing China with economic advantages. Geopolitical tensions or strategic interests in the Asia-Pacific region could lead to cyber activities aimed at gathering intelligence, exerting influence, or addressing security concerns. Additionally, the pursuit of military intelligence, political influence, or access to valuable resources in Indonesia may contribute to the motivation behind these state-sponsored cyber operations. 

A discernible change is observed in the conduct of Russian threat actors. They are broadening their range of attacks to include additional geographical regions, such as the Asia-Pacific and EMEA, in addition to their typical targets in North America and Western Europe. Moreover, there is speculation that these actors might be planning retaliatory attacks, either directly or indirectly, against the United States and its allied nations.


In May 2023 LockBit Ransomware group successfully compromised Bank Syariah Indonesia (BSI); a subsidiary of the state-owned enterprise Bank Mandiri. The cyberattack resulted in the acquisition of 1.5 terabytes of data, including nine databases containing information about the bank’s employees and more than 15 million customers. The stolen databases contained sensitive data such as customers’ full names, phone numbers, addresses, proprietary documentation, account numbers, card numbers, NonDisclosure Agreements (NDAs), transaction histories, contracts, and passwords. Following the breach, LockBit demanded a ransom of US$20 million. However, negotiations between BSI and the ransomware group broke down, leading LockBit to publish the stolen data on various underground leak forums. This exposure heightened the risk of cyberattacks and scams targeting BSI clients and employees. In addition to the immediate consequences, the data breach poses long-term risks. Efforts to attract global investors may be adversely affected, and the bank faces potential legal consequences, including lawsuits and penalties.

Integra Group (www[.]integragroup-indonesia[.]com); Indonesia’s largest wood manufacturer group was compromised. An unknown threat actor advertised 3.57 GB data of 7 companies under Integra Group.

Badan Tenaga Nuklir Nasional (BATAN); an Indonesian Non-Ministerial Government Institution tasked with carrying out government duties in the field of research, development, and utilization of nuclear energy data got compromised and leaked in an underground forum. Leaked data contains the employee’s name, email address, and password.


During the period spanning from January 1st to October 12th, CYFIRMA’s advanced telemetry systems meticulously detected a staggering total of 568,521 phishing campaigns. Within this extensive dataset, it’s noteworthy that Indonesia emerged as the Third-most targeted geographic region in Southeast Asia.

The observed campaign in Indonesia reveals several prominent themes exploited in phishing attacks. Among these, the sectors most frequently targeted include Social Networking, Logistics and Couriers, Financial, Online/Cloud Services, and Email Providers. These findings shed light on the diverse range of sectors that malicious actors are leveraging to carry out phishing attacks within Indonesia. Understanding these prevalent themes is crucial for enhancing cybersecurity measures and safeguarding against the evolving tactics employed by cybercriminals.



Ransomware groups target Indonesia due to its significant and growing economy, increasing digital transformation, potential vulnerabilities in cybersecurity practices among certain organizations, geopolitical and economic motivations, the widespread use of cryptocurrencies, relative lack of cybersecurity awareness, regional and global connectivity, and, in some cases, political instability. The country’s expanding digital infrastructure and the perceived financial capacity of high-profile targets make it an attractive environment for cybercriminals seeking substantial ransom payouts. Notably, this threat landscape is influenced by formidable ransomware groups, including LockBit, BlackCat (Alphvm), and 8Base, which feature prominently on the list of perpetrators targeting Indonesian companies.


The top 20 exposed device vendors found across Indonesia

Most Exploited vulnerabilities in Indonesia


Over the past six months in Indonesia, the threat landscape has been significantly impacted by distributed denial-of-service (DDoS) attacks, with the Information Technology and Services sector bearing the brunt, accounting for a substantial 83.61% of the attacks. Internet-related services also faced notable disruptions at 6.03%, followed by the Telecommunications sector at 3.92%. Information Services, Gaming, and Retail were subject to lower but still impactful percentages, with 1.92%, 1.87%, and 0.59%, respectively. Sectors such as Financial Services, Website Design & Management, Computer Software, Gambling & Casinos, and Banking each experienced less than 1% of the attacks, ranging from 0.48% to 0.32%. The remaining category, labelled as “Others,” accounted for a minimal 0.12%. This comprehensive breakdown underscores the varied impact of DDoS attacks across different industries in Indonesia, emphasizing the diverse targets and the need for robust cybersecurity measures.



  • Cyberattacks by the People’s Liberation Army (PLA) against government institutions related to trade, defense, and external affairs.
  • Data exfiltration by the PLA from a prominent manufacturing and electronics company.
  • Russian-speaking cybercriminals were observed attempting to attack the minerals industry.
  • On September 21, we noticed that Korean hackers had made claims of breaching into business process outsourcing and food processing organizations.
  • Korean hackers claimed to have allegedly hacked South Korean and Philippine fintech organizations on August 19.
  • Russian-speaking ransomware group showed interest in launching attacks towards service providers from the Philippines.
  • On August 10, we noticed a Russian-speaking hacking communities speaking about breaking into water and electricity supply organizations, albeit there was no further information available.


  • The Philippines is located in a strategically important region that is home to more than half of the world’s population and two-thirds of global container trade. The region is facing numerous geopolitical threats, including the rise of China as a superpower and the ongoing conflict over Taiwan.
  • The Philippines is particularly vulnerable to cyber-attacks because of its close ties to the United States and its location in the South China Sea.
  • China is the world’s largest state sponsor of cyber-attacks, and it is likely to continue to target its adversaries in the region, including the Philippines.
  • North Korea is also a major cyber threat, and it is becoming increasingly sophisticated in its attacks.
  • The Philippines’ ongoing rapprochement with the United States exposes the country to an increased threat from China.
  • Chinese policy in the region is bringing its adversaries into a series of increasingly tight security partnerships, such as the QUAD and AUKUS platforms.
  • Russia’s increasing dependence on China is a worrying sign of a forming Eurasian bloc that could pose serious competition to other powers in the region, including the Philippines.
  • The Philippines is a host to some of the most prolific users of cyber as a tool of statecraft in the world, including China, Russia, and North Korea.
  • The potential conflict over Taiwan is the biggest possible flashpoint on the regional security horizon with potentially unpredictable cyber fallout.
  • The Philippines is a logical target for Chinese cyber-attacks in the event of a conflict over Taiwan.
  • The overarching priority for business in the Philippines should be to strengthen common network security standards and cybersecurity practices across the board.


The financial sector is the most targeted industry by ransomware in the Philippines. This is because financial institutions store a large amount of sensitive financial data, which is valuable to cybercriminals.

The government sector is also a prime target for ransomware attacks. Government agencies control critical infrastructure and store a large amount of sensitive data, such as personal information and national security secrets.

The healthcare sector is vulnerable to ransomware attacks because it stores a large amount of sensitive patient data, such as medical records and financial information.

The education sector is also a target for ransomware attacks. Educational institutions store a large amount of student data and intellectual property, which is valuable to cybercriminals.

The retail sector is vulnerable to ransomware attacks because it processes a large volume of credit card transactions. Cybercriminals can use ransomware to encrypt credit card data and then demand a ransom payment in exchange for the decryption key.


In the past 90 days, the Philippines has experienced ransomware attacks from various groups, including Cl0p, Medusa, LockBit3, ALPHV, and Everest. These incidents highlight the ongoing and diverse cyber threats faced by organizations in the region, emphasizing the critical need for robust cybersecurity measures and vigilance to protect against ransomware attacks.

Recently, PhilHealth experienced a Medusa ransomware attack, accompanied by a $300,000 ransom demand. This led to the temporary suspension of the online systems of the state health insurer. After the ransom payment deadline passed, the responsible group uploaded more than 600 gigabytes of files to a leak site and a Telegram channel. The leaked information encompassed photos, bank cards, transaction receipts, and other sensitive data belonging to the victims.





Over the last six months, the Philippines has confronted a dynamic landscape of distributed denial-of-service (DDoS) attacks, revealing a nuanced distribution of threats across industries. The Information Technology and Services sector emerged as the primary target, facing a substantial 29.39% of attacks, signifying a heightened and specific risk. Close behind were Internet-based services and Information Services, each with significant percentages, underlining a noteworthy impact on entities involved in data management and online platforms. Noteworthy percentages in the gaming, telecommunications, and Internet sectors emphasize the breadth of the threat, necessitating heightened cybersecurity measures. Although facing comparatively lower percentages, sectors like banking and financial services underscore the critical need for robust cybersecurity practices to protect sensitive data. This multifaceted distribution highlights the diverse industries grappling with DDoS challenges in the Philippines, demanding tailored and vigilant cybersecurity strategies.


A massive data hack in April 2023, which exposed 817.54 gigabytes of both applicant and employee records under multiple state agencies, including the Philippine National Police (PNP), National Bureau of Investigation (NBI), Bureau of Internal Revenue (BIR), and Special Action Force (SAF), has put the personal information of millions of Filipinos at risk.

Scanned copy of police officer’s national police clearance

Bureau of Internal Revenue Card with TIN


Cyber espionage is a growing threat to all organizations, including businesses, governments, and critical infrastructure. It is the use of computers and networks to steal sensitive information, such as trade secrets, government secrets, and personal information.

One specific area where cyber espionage is increasing is in the Philippines. CYFIRMA has identified two advanced persistent threat (APT) groups that have targeted the Philippines, namely, Earth Estries and FamousSparrow.


Earth Estries, a well-known hacking group, has become a major player in a cyber espionage campaign that targets government and technology sectors in multiple countries. The campaign was discovered in August, and its primary focus is on two regions: Asia (Philippines, Taiwan, and Malaysia) and Germany and the United States. Earth Estries has been linked to a highly sophisticated operation with extensive experience in cyber espionage and illicit activities. The campaign has been active since at least 2020 and has global implications.

Interestingly, there are overlaps in tactics, techniques, and procedures (TTPs) between Earth Estries and FamousSparrow.

Earth Estries demonstrates a high level of sophistication, using advanced skills and experience in cyberespionage and illicit activities. Their arsenal includes various backdoors and hacking tools, with a focus on evading detection. They use PowerShell downgrade attacks to bypass security measures and exploit public services such as GitHub, Gmail, AnonFiles, and for communication and data transfer.


FamousSparrow is a cyber-espionage entity with connections to APT groups like SparklingGoblin and Metasploit, which have been associated with activities originating from China and has been targeting government and technology sectors in the Philippines, as well as other countries in Asia, South Africa, Germany, and the United States.



  • CYFIRMA observed and is tracking 12 active campaigns targeting various industries in Vietnam during 2023. Chinese, Russian, and North Korean state-sponsored threat actors are behind most of these campaigns.
  • Threat actors are actively exploiting Atlassian-Confluence vulnerabilities (CVE-2023-22515, CVE-2022-26134, CVE-2022-26138, CVE-2019-3396) in Vietnam.
  • Organizations in Information Technology, Manufacturing, Tourism, Logistics, and Construction Industries are actively exploited by state-sponsored and financially motivated threat actors.


With a strategic emphasis on Information and Communication Technology (ICT), the Vietnamese government has undertaken initiatives to propel its development, recognizing its significance as a priority industry. The ambitious goal is to elevate Vietnam’s digital economy to an impressive US$50 billion by 2025, offering substantial growth prospects for the ICT market. This trajectory is underscored by World Bank data, indicating an annual growth rate of 10% in Vietnam’s digital economy, with the potential to exceed a formidable US$200 billion by 2045. Within this burgeoning digital landscape, the Vietnam Information Technology (IT) industry becomes a focal point of interest for threat actors. The convergence of economic ambitions and technological advancements renders the IT sector susceptible to cyber threats, with threat actors aiming to exploit vulnerabilities for economic gains, intellectual property theft, or to gain a competitive advantage.

The manufacturing sector stands as a pivotal force in Vietnam’s economic landscape, constituting a substantial 24.76% of the country’s GDP and contributing significantly to its merchandise exports, accounting for 85% in 2022. Notably, this industry’s prowess extends beyond traditional production, with recent years witnessing an uptick in the manufacturing of sophisticated products like automotive parts, consumer electronics, and telecom equipment, showcasing Vietnam’s commitment to technological advancement. Leveraging advanced technologies, the Vietnamese manufacturing industry has earned a competitive edge, producing high-quality goods at a cost-effective scale. In the context of the threat landscape, the strategic importance and economic impact of Vietnam’s manufacturing industry make it an attractive target for threat actors. Cyber adversaries may seek to exploit vulnerabilities in the industry’s digital infrastructure for various motives, including economic espionage, intellectual property theft, or disrupting supply chains. Recognizing the nexus between technological innovation and economic growth, safeguarding the manufacturing sector becomes imperative, necessitating robust cybersecurity measures to protect against evolving threats and preserve Vietnam’s economic resilience.

Amidst the first half of 2023, Vietnam’s tourism sector showcased notable growth, welcoming nearly 5.6 million international visitors, achieving 70% of the annual target. Projections from Future Market Insights anticipate a robust tourism revenue of US$27,500 million by the year’s end, with a long-term forecast envisioning an impressive US$135,000 million by 2033. Within this thriving landscape, the Vietnam tourism industry becomes an intriguing target for threat actors. The sector’s economic significance, driven by increasing international footfall and substantial revenue projections, makes it an attractive focal point for cyber adversaries. Threat actors may aim to exploit vulnerabilities in the industry’s digital infrastructure for diverse reasons, such as financial fraud, data theft, or disrupting the country’s image as a tourist destination. Recognizing the symbiotic relationship between a secure digital landscape and the sustained growth of Vietnam’s tourism sector, it becomes imperative to fortify cybersecurity measures to safeguard against potential threats and preserve the industry’s positive trajectory.

The logistics sector in Vietnam stands out as a rapidly expanding industry, constituting approximately 4.5% of the country’s GDP. Positioned as the 10th among emerging logistics markets globally, Vietnam’s logistics market is valued at US$40 billion, with projections estimating a market size of US$45.19 billion by end of 2023 and an anticipated growth to US$65.34 billion by 2029. Notably, over 30 companies, including industry giants like DHL, FedEx, and Maersk, contribute to the provision of international logistics services in Vietnam. Within this dynamic context, the Vietnam logistics industry emerges as a focal point for threat actors. The sector’s substantial economic contribution and strategic position in global logistics networks make it an appealing target for cyber adversaries. Threat actors may seek to exploit digital vulnerabilities in the logistics infrastructure for motives such as supply chain disruption, data theft, or financial fraud. Recognizing the critical role of secure logistics in supporting economic activities, fortifying cybersecurity measures becomes imperative to mitigate risks and ensure the resilience of Vietnam’s logistics industry against evolving cyber threats.

With a current valuation of USD 23.1 billion, the Vietnam construction market is poised for substantial growth, projected to register a robust CAGR of over 8.5% in the forecast period. Emerging as the latest East Asian growth engine, Vietnam has captivated the interest of international investors, underscoring its strategic importance in the global construction landscape. However, this burgeoning sector also attracts the attention of threat actors in the Vietnam threat landscape. The construction industry’s pivotal role in the country’s economic development, coupled with its increasing international prominence, makes it an attractive target for cyber adversaries. Threat actors may aim to exploit digital vulnerabilities within the construction infrastructure for motives such as intellectual property theft, economic espionage, or disrupting critical projects. Recognizing the interconnectedness of digital infrastructure and the construction industry’s growth, bolstering cybersecurity measures becomes imperative to safeguard against potential threats and ensure the sustained development of Vietnam’s construction sector.



  • The APT41 group is well-resourced, highly skilled, creative, and agile, adapting quickly to any attempts by its targets to remediate infections.
  • APT41 compromises are typically widespread and highly persistent with the group able to fight to take care of its foothold inside networks.
  • Unlike previous campaigns where the group used phishing emails or Trojan malware, its attacks have evolved targeting vulnerable systems and devices that were directly exposed to the internet.


  • Lazarus Group is a nation-state adversary from the Democratic People’s Republic of Korea (DPRK).
  • Their operations are conducted by Bureau 39 of Korean Workers’ Party with hacking part of the operations managed by the Bureau 121 of Reconnaissance General Bureau.
  • Bureau 121 consists of multiple units all included and tracked in APT38 – Lazarus Group.
  • Unit 180 is believed to be dedicated to obtaining currency for the regime. Lazarus Group is capable of rapidly developing, mutating, and evolving existing exploits/malware in their malware development unit.
  • Recently the threat actor is observed of carrying out the UNC024 campaign using Tofsee Backdoor, and AppleJeus Malware.


  • A recent shift in TA505’s focus towards ransomware and extortion.
  • Believed to have an infrastructure overlap with other threat actors, TA505 has been observed leveraging a wide range of malware as part of their campaigns.
  • Recently it is confirmed that the group is exploiting the vulnerability CVE-2023-34362 – The MOVEit Transfer vulnerability to gain initial access.

APT28/Fancy Bear

  • Fancy Bear is a Russian state-sponsored hacking group closely affiliated with the Russian intelligence service.
  • Recently the threat actor has been exploiting vulnerabilities (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) in Roundcube Webmail software and granting them unauthorized access to unpatched servers.
  • Once the email servers were compromised, they used malicious scripts for reconnaissance, harvesting emails of interest, and stealing the targets’ Roundcube address book, session cookies, and other valuable information stored within Roundcube’s database.


  • Highlighting 3 active campaigns – as a sample.
  • Observed 12 active campaigns targeting various industries in Vietnam during 2023. Chinese and North Korean state-sponsored threat actors are behind most of these campaigns.

Between Jan to October 2023, as part of the external threat landscape monitoring and analysis, we observed 12 campaigns targeting various conglomerates. The following trends have been observed of the different State-Sponsored groups and Cybercriminals who have potentially carried out the observed #cyberattack campaigns:

No. of campaigns carried out by North Korean Groups: 4 out of 12 (33.33%)

  • State-Sponsored: All 4 (100%)
  • Insights: North-Korean Hackers are observed of possible collaboration with Chinese Groups, Russian Groups and offering their services/expertise as part of the Hacker-as-a-Service (HaaS model) to steal sensitive information in return for financial gains.

No. of campaigns carried out by Chinese Groups: 3 out of 12 (25%)

  • State-Sponsored: All 3 (100%)
  • Insights: Chinese threat groups are targeting organizations predominantly for espionage activities to assist their local companies and support their government’s agenda as part of Made in China 2025 objectives.

No. of campaigns carried out by Russian Groups: 5 out of 12 (41.67%)

  • Cybercriminals: 3 out of 5 (60%)
  • State-Sponsored: 2 out of 5 (40%)
  • Insights: Russian threat actors are being observed of expanding their attack surface to other geographical regions such as Asia-Pacific, EMEA in addition to their traditional geographies – North America and Western Europe to target organizations.


In the last six months, Vietnam’s threat landscape has undergone a notable impact from distributed denial-of-service (DDoS) attacks, with the Information Technology and Services sector being particularly affected, representing a significant 92.06% of the attacks. Moreover, a substantial 45.46% of these attacks endured for periods exceeding three hours, indicating a prolonged and impactful threat scenario. Additionally, attacks within the one to three-hour duration range accounted for 16.85%, underscoring a notable proportion of sustained assaults. Examining bitrates, attacks with speeds ranging from 500 Mbps to 1 Gbps constituted 12.64%, while those with less than 500 Mbps made up the majority share at 85.64%. This diverse distribution highlights the necessity for a comprehensive and adaptive cybersecurity strategy to effectively mitigate the varying intensities of DDoS threats in Vietnam.


LockBit ransomware has primarily targeted Manufacturing, Healthcare, Transportation & Logistics, Telecommunications, and Food & Beverages sectors in Vietnam, affecting the largest proportion of victims at 37% among all targeted organizations.


Top 5 Targeted Countries in Asia

Phishing themes distribution

Most Impersonated Brands

Between 1st January and 11th October, CYFIRMA’s telemetry recorded 648,306 phishing campaigns. In that 12,862 are attributed to Vietnam.


Most Exploited vulnerabilities in Vietnam

We observed Atlassian Confluence has been actively exploited by threat actors in Vietnam.