Operation Lotus Blossom Sets Sights on Asian Military

Security experts have warned of a new, state-sponsored targeted attack campaign against government and military organizations in several countries around the South China Sea.

The three-year Operation Lotus Blossom campaign has so far affected Hong Kong, Taiwan, Indonesia, Vietnam, and the Philippines, with over 50 individual attacks spotted by Palo Alto Networks’ Unit 42 research group.

Attacks usually arrive in the form of a spear-phishing email with a malicious attachment which the user is tricked into opening – usually a ‘personnel roster’ for a relevant military or government office, the researchers claimed in a blog post.

If a user clicks on this file they will apparently be presented with a legitimate looking file while the malware downloads covertly in the background.

The malware itself is a variation of the Elise trojan backdoor, which has been modified by the attackers in three new variants. New functionality includes the ability to evade detection in virtual environments, connect to C&C servers for additional instructions, and exfiltrate data.

Palo Alto Networks intelligence director, Ryan Olson, would not be drawn on attribution, although China must be an obvious suspect given the nation’s geopolitical and military interest in the region.

“While we cannot say specifically what data Operation Lotus Blossom was pursuing in launching these attacks, we can reasonably assume that they have been tasked to gather information that is only available to government and military organizations in Southeast Asia,” he told Infosecurity.

“These types of attacks appear to be increasing in frequency all over the world, but the South China Sea region is certainly a heavy target. Operation Lotus Blossom and other recently identified espionage groups appear to focus specifically on this area of the world, indicating that their sponsors have a significant interest in these nations.”

China was in fact blamed for another long-running APT style campaign in the region last year, when Cyber Squared spotted state-sponsored hackers stealing government and military secrets from entities in the Philippines, Vietnam and other countries in the region.

All of these countries have been involved in disputes over maritime territories in the South China Sea in recent years as China tries to assert its dominance.

Olson warned any Western organization which operates in the region to review the Palo Alto Networks report – specifically indicators of compromise – to check whether it has been a target.

What’s Hot on Infosecurity Magazine?