Vietnam 'on the edge' of becoming a mid-tier cybercrime hub

A key factor will be whether Vietnam's growing economy can absorb a growing supply of fresh tech talent, says sociologist Jonathan Lusthaus.

Vietnam has the potential to become a mid-level cybercrime hub, according to sociologist Dr Jonathan Lusthaus, who's been studying cybercrime globally for more than seven years.

Special feature

Cyberwar and the Future of Cybersecurity

Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly.

Read More

Lusthaus is director of the Human Cybercriminal Project at the University of Oxford, and an adjunct associate professor at University of New South Wales Canberra Cyber.

Vietnam has a "very good tradition of hacking" as well as other "technical pursuits", Lusthaus told ZDNet on Monday.

"If you look at other parts of South-East Asia, I don't think you always see that same level of interest in technology," he said.

Vietnam's economy is growing more than 6% per annum, a figure that's expected to trend upwards of 6.5% through 2020. Money attracts crime and encourages cyber espionage.

Cybersecurity firms have already seen a rise of offensive cyber activity from Vietnam through 2018, including the rise of threat groups affiliated with, or even part of, the Vietnamese government.

"Vietnamese adversaries are very, very active. They're certainly very active in our region [the Asia-Pacific]," said CrowdStrike's vice president of technology strategy Mike Sentonas in February.

"Vietnam's starting to emerge as a player. There's a lot of development there. Auto companies are doing joint ventures. Suddenly we start to see autos being targeted very, very aggressively," he said.

In March, for example, Toyota announced a pair of data breaches in five weeks.

The first, an attack on Toyota Australia, was attributed by some industry experts to the group CrowdStrike dubbed Ocean Buffalo, also known by FireEye's designation APT32, or OceanLotus.

APT32 is a Vietnamese cyber-espionage unit with a known focus on the automotive industry.

Experts suggested that APT32 hackers might have targeted Toyota's Australian branch as a way to get into the company's more secure central network in Japan.

At the time, though, Toyota declined to confirm any of these theories, and the Vietnamese government denies the hacking claims.

Cybercrime hub, cybercrime haven, or neither?

When a new centre of cybercrime emerges, it can be hard to tell whether it'll be a hub, or what Lusthaus calls a haven.

"One of the difficulties, of course, is identifying [whether the new criminal operators] are locals cybercriminals, or are these foreign cybercriminals who are operating there," Lusthaus said.

Some traditional core hubs of cybercrime, such as Russia and Ukraine, have an "over-supply of technical talent" that can't be absorbed by the legitimate local industries, or can't necessarily get jobs internationally, he said. Cybercrime provides an obvious alternative.

"What we're going to look for in these potential new hubs, somewhere like Vietnam as an example, is are they producing enough technical talent in the first place? And are they producing too much to actually support it in the tech sector?"

Lusthaus visited Vietnam personally in 2017 as part of his seven-year research program for his book Industry of Anonymity: Inside the Business of Cybercrime.

"I felt it was on the edge, but so far it was being kept out of being a major cybercrime hub... They have a pretty good group of hackers there. By regional standards they're quite highly regarded," he told ZDNet.

Vietnam has a community of interest in hacking, and the nation's technical education is good enough regionally to produce a suitable talent pool, but Lusthaus says this won't necessarily result in a cybercrime hub.

'I also sense [that] as a country, there was actually quite a lot of opportunities potentially emerging within cyber, and that they had potentially more access to jobs internationally."

The Flappy Bird option

There might also be another option: Games.

When Lusthaus interviewed Vietnamese locals, some from a hacking background, some from the general tech sector, they praised video game artist and programmer Dong Nguyen.

Nguyen released the game Flappy Bird in 2013, and soon it was earning him a reported $50,000 a day from sales and in-app adverts. He suddenly removed the game from app stores in February 2014, however, guilty for having created something so addictive.

"[Nguyen] was kind of like a model of how you can potentially make money," Lusthaus said.

"There was apparently a big move, of everyone trying to create their own game at some point, and trying to find these other sorts of opportunities," he said.

"Vietnam is like in balance. They're never going to be on the same level as like Ukraine or Russia, because quite simply their education system is not the same... So what we're talking about here in Vietnam is, are we doing to some like mid-tier cybercriminals emerging?"

Cybercrime isn't just organised, it's an industry

Lusthaus says that cybercrime is now an industrial operation. The key elements of industrialisation are present: specialisation, professionalisation, mature markets, and even the beginnings of structured firms.

"Cybercrime is highly specialised. What we're taking about is a whole range of skillsets involved in this, so a clear division of labour."

At one end are the very technical skills, such as malware construction and hacking. At the other end are very non-technical skills, such as a organising money mules.

"We have a whole range of other people in between. So we have some of the managers, who look really quite like technology entrepreneurs. They just happen to be criminal ones," Lusthaus said.

"And there are people that might have some technical knowledge, but really their skillset is organisation and management."

Within the skillsets there's even a subdivision of labour. A malware team might consist of a team leader, a core coder, specialist coders for specifics parts of the malware, and so on.

"They're highly professional. They're operating in a very businesslike manner," Lusthaus said. "They are using accounting software, they keep people on salary, but also the people involved are highly professional.

"In certain parts of the world, and Eastern Europe is one example, these are people who are highly educated, highly intelligent, highly capable. And they're the types of people who could quite easily be working in the legitimate technology sector."

The maturity of cybercrime is often discussed in terms of the hidden markets on the so-called "dark web" or "dark net", but Lusthaus says that the trade has been going on "for decades".

"We've had markets like this well before these terms came into existence, well before Tor," he said. There were markets dealing in stolen credit card numbers, malware components, and technical services "at the turn of the millennium".

The final sign of industrialisation, according to Lusthaus, is the emergence of permanent structures that start to look like firms or even companies. No longer is it just individuals trading with each other.

"We're actually talking about groups that are defining who's in the group and who's not in the group, just like we would in conventional business," he said.

"There's value to be had by incorporating certain people within the operational grouping."

At the highest end of cybercrime, some criminals are even renting office space in business parks.

"Some of them begin to actually look externally as if they're tech startups. They just happen to be criminal startups," Lusthaus said.

One example would be virtual currency trader Liberty Reserve, which was taken down by the US Secret Service in 2013.

With around 50 staff, Liberty Reserve was operating in a business park in Costa Rica, along with legitimate tenants such as Hewlett Packard and Western Union.

Related Coverage