Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

‘Lotus Blossom’ Cyber-espionage Campaign Stretches Back 3 Years: Palo Alto Networks

Researchers at Palo Alto Networks have identified a cyber-espionage operation targeting government and military organizations in Southeast Asia.

Researchers at Palo Alto Networks have identified a cyber-espionage operation targeting government and military organizations in Southeast Asia.

The group responsible for the campaign has been nicknamed ‘Lotus Blossom’, and given its targets and persistence, is likely state-sponsored, according to Palo Alto Networks. More than 50 different attacks have been linked to the campaign, which has gone on for the past three years.

“The group relies on spear phishing attacks to infect its users, often using a malicious office document and decoy file containing content relevant to the target’s occupation or interests,” according to a report from Palo Alto Networks’ Unit 42 team. “The spear phishing attachment typically includes exploit code for a well-known Microsoft Office vulnerability, CVE-2012-0158, which is used to install the Trojan on the system and then display the decoy file, tricking the user into thinking the file opened correctly.”

The attackers used a backdoor Trojan named Elise after the sports car made by Group Lotus PLC of the United Kingdom. The tool appears to be unique to the group, and has morphed over time.

“A popular theme for the decoy documents was personnel rosters, largely claiming to be for specific military or government offices,” according to the research. “Another theme was the use of attractive pictures of Asian women that were sourced from the Internet. Some of the information contained in the decoys could be found on the Internet; however, it is worth noting none of the military or government themed decoys could be found. In particular, the decoys used against the Philippines were exclusively military and government themed, with the bulk purporting to be related to the Navy.”

“As we were unable to find any of the decoys online, and they purport to contain sensitive information, we have not included images of them, in case the information is legitimate,” Palo Alto Networks researchers noted in the paper. “One document is even stamped “Secret.””

The targets of the campaign were found in Vietnam, Philippines, Taiwan, Hong Kong and Indonesia.

“The Trojan backdoor and vulnerability exploits used in Operation Lotus Blossom aren’t cutting-edge by today’s standards, but these types of attacks can be detrimental if they are successful and give attackers access to sensitive data,” said Ryan Olson, intelligence director of Unit 42, in a statement. “The fact that older vulnerabilities are still being used tells us that until organizations adopt a prevention-based mindset and take steps to improve cyber hygiene, cyberattackers will continue to use legacy methods because they still work well.”

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.