Operation Lotus Blossom – Nation-State Sponsored?

June 18, 2015 By aatech

Government and military organisations in Southeast Asia seem to be a target of cyber espionage campaign. It is most likely state-sponsored and has been named “Lotus Blossom” by Palo Alto Unit 42. This adversary group is very well organised and may have the support from a country that has interest in Southeast Asia. To date, 50 different attacks have been identified and is said to have take place over the past three years.

More than 50 indvidual attacks have been linked to the Lotus Blossom group, targeting the following countries – Hong Kong, Taiwan, Vietnam, the Phillipines and Indoenesia.

These are some of the characteristics of the attacks:

They are against military and government
Spearphishing is used as the initial attack vector
They use a custom Trojan backdoor named “Elise” to gain a foothold
A decoy file appears during intial compromise with Elise, tricking users into thinking they opened a benign file

It is believed that Elise malware was specifically developed to meet the needs of the attack campaigns. It is a sophisticated tool, including variants with the ability to evade detection in virtual environments, connect to command-and-control servers for additional instructions, and to steal data.

When you have a well-resourced enemy, and most likley backed by a nation-state, they will be able to deploy advanced tools in their attacks. Operation Lotus Blossom is a fine example of this. The tools used for the attacked could ebdeployed over an extended period of time, maybe even years, in order to reach its goals.

Definition

Spearphishing – an email spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential information. These emails seem to come from a trusted source, which attackers hope that users will be convinced of its legitimacy and click the malicious web link contain therein or open the malicious attachment.

Source

Palo Alto Unit 42.