Why Cyber Threat Actors Target Vietnam?
Geopolitical Tensions & Regional Influence
Vietnam is situated in a strategically vital region, particularly concerning the South China Sea disputes. Its burgeoning partnerships with the United States, Japan, and ASEAN nations make it an attractive target for state-sponsored cyber espionage, especially from Chinese Advanced Persistent Threat (APT) groups. These actors are keenly interested in accessing intelligence regarding Vietnam’s defense strategies, governmental policies, and critical infrastructure developments.
Economic Growth & Industrial Espionage
As one of the fastest-growing economies in Southeast Asia, Vietnam’s manufacturing, energy, and finance sectors are enticing prey for cybercriminals looking to steal intellectual property and engage in industrial espionage. Threat actors from China, North Korea, and Russia are specifically targeting the technology and telecommunications industries, aiming to capitalize on Vietnam’s rapid economic ascent.
Expanding Digital & Financial Infrastructure
Vietnam’s rapid digital transformation, coupled with a thriving fintech landscape, has attracted various cyber threats. Ransomware operators, financial fraudsters, and malware targeting banking systems are increasingly focused on exploiting these vulnerabilities. The rise of cryptocurrency usage has further transformed Vietnam into a hotbed for exchange compromises and crypto-related fraud.
Supply Chain Vulnerabilities
Vietnam’s position as a regional manufacturing hub presents unique risks. Its supply chain is intricately linked with global giants, making it susceptible to supply chain attacks where attackers compromise third-party vendors, logistics firms, and IT service providers. This creates a dual threat of espionage and potential disruption of critical services.
Critical Infrastructure & Energy Sector Risks
The energy, telecommunications, and transportation sectors are becoming increasingly attractive targets for state-sponsored sabotage and cyber extortion. With the adoption of Industrial Internet of Things (IIoT) technologies, new attack surfaces in manufacturing and energy sectors are emerging, posing additional risks to national security.
Weak Cybersecurity Frameworks & Insider Threats
Despite recent advances in cybersecurity policies, Vietnam continues to face vulnerabilities. Enforcement gaps and a shortage of skilled cybersecurity professionals contribute to a cyber maturity gap. Insider threats, business email compromise (BEC), and targeted phishing campaigns delve into organizational weaknesses, heightening overall risk.
Trends From The Dark Web
According to CYFIRMA’s observations, there has been a notable uptick in cyber campaigns aimed at Vietnam, increasing from eight in 2023 to nine in 2024. This trend could indicate a more hostile threat landscape, likely fueled by geopolitical tensions, vulnerabilities in the financial sector, and rapid digital transformation.
Campaigns Targeting Vietnam
Analysis from CYFIRMA shows that the primary sources of threat actors targeting Vietnam are China (33.33%) and Russia (33.33%), with North Korea contributing 14.29%. Chinese APT groups are inclined towards industrial espionage and intellectual property theft, especially in semiconductors and advanced manufacturing. Russian actors have a dual focus on financially motivated cybercrime and destabilizing geopolitical interests, while North Korean groups like Lazarus engage in revenue-driven attacks to support state objectives.
Threat Actor Origins Targeting Vietnam
Vietnam’s Geopolitical Risk Factors
- South China Sea Disputes – Tensions with China: The ongoing territorial disputes with China regarding the Paracel and Spratly Islands exacerbate diplomatic and military tensions, increasing vulnerability to cyber threats.
- U.S.-Vietnam Strategic Partnership – Growing Alliance with the West: As Vietnam enhances its relationships with NATO allies, it becomes a key player in Indo-Pacific geopolitics, intensifying its vulnerabilities from adversarial states.
- North Korea’s Engagement with Vietnam: The rise of cryptocurrency within Vietnam has attracted various North Korean financial activities, raising alarm over illicit transactions and the potential for regulatory non-compliance.
- Russia-Vietnam Relations & Energy Dependence: While strong ties remain, navigating relations between Moscow and Western nations becomes increasingly challenging amid global sanctions.
- ASEAN & Regional Security Dynamics: While Vietnam actively participates in ASEAN organizations, regional cybercrime and political instabilities pose challenges to comprehensive collaborative efforts.
- Economic Growth & Supply Chain Integration: Vietnam’s booming manufacturing and tech sectors provide economic benefits but also expose vulnerabilities to trade disputes and geopolitical risks.
Suspected Threat Actors
CYFIRMA identifies a varied range of suspected threat actors targeting Vietnam, including well-known groups such as Lazarus Group, Stone Panda, and MISSION2025. The presence of both state-sponsored actors and financially motivated cybercriminals signifies a complex, evolving risk landscape.
Top Attacked Technology
CYFIRMA’s findings reveal that web applications (25) and operating systems (12) are among the most frequently targeted attack surfaces. This trend underscores a persistent focus on exploiting web vulnerabilities and system-level weaknesses. Attackers are increasingly targeting application servers, infrastructure software, and VPN solutions, emphasizing the necessity for robust patch management and proactive security measures.
Top Observed Malware
CYFIRMA’s observations point to unknown malware (21) as the most prevalent threat, indicating that custom or evolving threats are commonly used to evade detection. The existence of well-known malware such as Cobalt Strike, PlugX RAT, and Winnti suggests a sophisticated adversary strategy aimed at achieving persistence, lateral movement, and ultimately operational disruption. Additionally, the emergence of ransomware variants like Cl0p and Ryuk underscores a mix of state-sponsored espionage and financially driven cyber crime.
Ransomware
Year-to-Year Elevation: High
Ransomware incidents in Vietnam have witnessed fluctuations, with CYFIRMA documenting 4,723 verified ransomware victims in 2023 and rising to 5,123 in 2024—a growth rate of 8.5% across diverse industries.
The number of ransomware victims reported in Vietnam actually declined from 12 in 2023 to 8 in 2024. However, this should not be misconstrued as a reduction in overall risk; Ransomware-as-a-Service (RaaS) operations and targeted extortion campaigns remain prevalent. This evolving landscape, characterized by tactics such as double extortion and targeted supply chain breaches, signifies an urgent need for enhanced vigilance and cybersecurity resilience.
Ransomware Groups Targeting Vietnam
Manufacturing entities account for 30% of ransomware attacks in Vietnam, revealing a systematic approach by attackers to disrupt supply chains and pilfer intellectual property. Other sectors under threat include Consumer Goods & Services (15%) and Real Estate & Construction (10%), illustrating the widening net of ransomware’s focus on critical economic sectors. The growing risk landscape further encompasses education, healthcare, energy, and IT, which heightens overall vulnerabilities.
Top Targeted Industries in Vietnam
In early 2023, the takedown of the Hive ransomware group led to a temporary decrease in activity. However, this lull was swiftly followed by a resurgence fueled by Cl0p, which leveraged the MOVEit vulnerability to its advantage. Similarly, the early 2024 decline due to the LockBit3 takedown was short-lived, as affiliates moved to alternate Ransomware-as-a-Service options, and new players like RansomHub quickly filled the gaps in the ecosystem.
Ransomware Victims in Vietnam
LockBit3 currently stands as the most active ransomware group targeting Vietnam, accounting for 30% of reported incidents. Stormous and KillSec each contribute 15%, indicating a variety of established Ransomware-as-a-Service operations alongside newly emerging threat actors. The interplay of these diverse ransomware factions underscores the enduring threat of data exfiltration, financial extortion, and operational disruptions.
Targeted Industries by Ransomware 2024 – Vietnam
- Rise in Nation-State Espionage: Chinese, Russian, and North Korean APT groups persistently target government, financial, and manufacturing sectors, focusing on intellectual property theft and geopolitical intelligence.
- Financial & Ransomware Threat Surge: With groups like LockBit3, Stormous, and KillSec leading the charge, ransomware campaigns emphasize data extortion and operational disruption.
- Expansion of Supply Chain Attacks: Attackers increasingly target IT service providers, software vendors, and cloud platforms, aiming for infiltration of larger enterprises.
- Critical Infrastructure Under Attack: The energy, telecommunications, and financial services sectors are particularly vulnerable, with threats exploiting weaknesses in web applications and operating systems.
- Growth of Cybercrime-as-a-Service: Domestic cybercriminal groups are evolving, engaging in activities like business email compromise (BEC) and illicit data leaks, effectively contributing to global cybercrime networks.
- Regulatory Pressure & Compliance Challenges: As new cybersecurity laws and data localization mandates evolve, organizations must adapt and enhance compliance strategies to meet raising expectations.