Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

‘Lotus Blossom’ Cyber-espionage Campaign Stretches Back 3 Years: Palo Alto Networks

Researchers at Palo Alto Networks have identified a cyber-espionage operation targeting government and military organizations in Southeast Asia.

Researchers at Palo Alto Networks have identified a cyber-espionage operation targeting government and military organizations in Southeast Asia.

The group responsible for the campaign has been nicknamed ‘Lotus Blossom’, and given its targets and persistence, is likely state-sponsored, according to Palo Alto Networks. More than 50 different attacks have been linked to the campaign, which has gone on for the past three years.

“The group relies on spear phishing attacks to infect its users, often using a malicious office document and decoy file containing content relevant to the target’s occupation or interests,” according to a report from Palo Alto Networks’ Unit 42 team. “The spear phishing attachment typically includes exploit code for a well-known Microsoft Office vulnerability, CVE-2012-0158, which is used to install the Trojan on the system and then display the decoy file, tricking the user into thinking the file opened correctly.”

The attackers used a backdoor Trojan named Elise after the sports car made by Group Lotus PLC of the United Kingdom. The tool appears to be unique to the group, and has morphed over time.

“A popular theme for the decoy documents was personnel rosters, largely claiming to be for specific military or government offices,” according to the research. “Another theme was the use of attractive pictures of Asian women that were sourced from the Internet. Some of the information contained in the decoys could be found on the Internet; however, it is worth noting none of the military or government themed decoys could be found. In particular, the decoys used against the Philippines were exclusively military and government themed, with the bulk purporting to be related to the Navy.”

“As we were unable to find any of the decoys online, and they purport to contain sensitive information, we have not included images of them, in case the information is legitimate,” Palo Alto Networks researchers noted in the paper. “One document is even stamped “Secret.””

The targets of the campaign were found in Vietnam, Philippines, Taiwan, Hong Kong and Indonesia.

“The Trojan backdoor and vulnerability exploits used in Operation Lotus Blossom aren’t cutting-edge by today’s standards, but these types of attacks can be detrimental if they are successful and give attackers access to sensitive data,” said Ryan Olson, intelligence director of Unit 42, in a statement. “The fact that older vulnerabilities are still being used tells us that until organizations adopt a prevention-based mindset and take steps to improve cyber hygiene, cyberattackers will continue to use legacy methods because they still work well.”

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...