Today Unit 42 published new research identifying a persistent cyber espionage campaign targeting government and military organizations in Southeast Asia. The adversary group responsible for the campaign, which we named “Lotus Blossom,” is well organized and likely state-sponsored, with support from a country that has interests in Southeast Asia. The campaign has been in operation for some time; we have identified over 50 different attacks taking place over the past three years.
Background and Findings
Unit 42 has linked more than 50 individual attacks across Hong Kong, Taiwan, Vietnam, the Philippines, and Indonesia to the Lotus Blossom group. These attacks share a number of characteristics, including:
They are against military and government targets
Spearphishing is used as the initial attack vector
They use a custom Trojan backdoor named “Elise” to gain a foothold
A decoy file appears during initial compromise with Elise, tricking users into thinking they opened a benign file
Attacks by the Lotus Blossom group rely heavily on the use of spearphishing emails that use enticing subject lines and legitimate-looking decoy documents to trick users into opening a malware executable they think is a legitimate document. This document is usually a personnel roster for a specific military or government office.
We believe that the Lotus Blossom group developed the Elise malware specifically to meet the needs of the attack campaigns, and we’ve observed three variants across 50 samples during the three-year period of these attacks. Elise is a relatively sophisticated tool, including variants with the ability to evade detection in virtual environments, connect to command-and-control servers for additional instruction, and exfiltrate data.
Operation Lotus Blossom is a prime example of how a well-resourced adversary will deploy advanced tools, over an extended time period, sometimes years, in order to reach its goals. In this case, the pattern of behavior suggests that the actors behind this group were nation-state sponsored, from a country with an interest in the government and military affairs of Southeast Asian nations.
Learn more here:
http://stage.paloaltonetworks.com/threat-research.html
Background and Findings
Unit 42 has linked more than 50 individual attacks across Hong Kong, Taiwan, Vietnam, the Philippines, and Indonesia to the Lotus Blossom group. These attacks share a number of characteristics, including:
They are against military and government targets
Spearphishing is used as the initial attack vector
They use a custom Trojan backdoor named “Elise” to gain a foothold
A decoy file appears during initial compromise with Elise, tricking users into thinking they opened a benign file
Attacks by the Lotus Blossom group rely heavily on the use of spearphishing emails that use enticing subject lines and legitimate-looking decoy documents to trick users into opening a malware executable they think is a legitimate document. This document is usually a personnel roster for a specific military or government office.
We believe that the Lotus Blossom group developed the Elise malware specifically to meet the needs of the attack campaigns, and we’ve observed three variants across 50 samples during the three-year period of these attacks. Elise is a relatively sophisticated tool, including variants with the ability to evade detection in virtual environments, connect to command-and-control servers for additional instruction, and exfiltrate data.
Operation Lotus Blossom is a prime example of how a well-resourced adversary will deploy advanced tools, over an extended time period, sometimes years, in order to reach its goals. In this case, the pattern of behavior suggests that the actors behind this group were nation-state sponsored, from a country with an interest in the government and military affairs of Southeast Asian nations.
Learn more here:
http://stage.paloaltonetworks.com/threat-research.html
- Category
- Palo Alto Networks
- Tags
- Palo Alto Networks, Lotus Blossom, Elise
Be the first to comment
Up Next
Autoplay
-
14:33
Global Threat Landscape Report | FortiGuardLIVE
-
01:01
2024 Threat Predictions Report | FortiGuard Labs
-
17:53
2H 2022 Threat Landscape Report | FortiGuardLIVE
-
16:45
FortiGuard Labs’ 2023 1H Threat Report | FortiGuardLIVE
-
01:13
FortiGuard Labs Global Threat Landscape Report 1H 2021 | Threat Intelligence
-
17:53
2H 2022 Threat Landscape Report | FortiGuardLIVE
-
18:43
2021 Threat Landscape Report | FortGuardLIVE
-
01:30
FortiGuard Labs Global Threat Landscape Report 2H 2021 | Threat Intelligence
-
15:17
Global Threat Landscape Report | FortiGuardLIVE
-
01:26
2015 Application Usage & Threat Report
-
00:34
Meet the 5720 Universal Switch
-
01:26
Enable and Collect Webex Directory Connector Logs
-
01:18
Introducing Vatche Varvarian - Innovation Lead