US-based security expert Palo Alto Networks (PAN) has disclosed the operations of a group of potentially state-sponsored cyberattacks campaign which emerged to be targeting government and military organizations in countries across Southeast Asia.
Dubbed as Operation Lotus Blossom (OLB), the adversary group has been operating since 2012 with support from a country that has interests in Southeast Asia. With over 50 individual attacks identified by PAN’s threat intelligence team, Unit 42, the campaign appears to be an attempt to gain inside information on the operation of nation-states in the region, including targets in Hong Kong, Indonesia, Taiwan, Vietnam, and the Philippines.
The company, however, refused to identify the source or who initiates the attacks. But, Sean Duca, Regional Chief Security Officer – Asia Pacific at Palo Alto Networks, said, “we believe the attacks are state-sponsored as they are well-organized and well-funded.”
Duca claims the campaign targets intellectual properties of target-nations.
The attacks made by OLB depend heavily on a custom-built Trojan named “Elise” to deliver spear phishing emails as the initial attack vector. This method uses enticing subject lines and legitimate-looking decoy documents designed to trick users into believing they are opening a legitimate file, as opposed to malware. These documents are usually personnel rosters for specific military or government offices.
Sean Duca, Vice President and Regional Chief Security Officer for Asia Pacific, Palo Alto Networks.
Unit 24 believes that the Lotus Blossom group developed the Elise malware specifically to meet the needs of the attack campaigns. Elise is a sophisticated tool, including variants with the ability to evade detection in virtual environments, connect to command and control servers for additional instruction, and exfiltrate data.
The OLB attacks were discovered by Unit 42 using Palo Alto Networks AutoFocus service which allowed the team to correlate and interrogate security events from over 6,000 WildFire subscribers and other threat intelligence sources. These attacks are automatically prevented for all Palo Alto Networks Threat Prevention and WildFire subscribers. Others are encouraged to check their networks for signs of intrusion and add relevant indicators to their security controls.
