Researchers at Palo Alto Networks have identified a cyber-espionage operation targeting government and military organizations in Southeast Asia.
The group responsible for the campaign has been nicknamed ‘Lotus Blossom’, and given its targets and persistence, is likely state-sponsored, according to Palo Alto Networks. More than 50 different attacks have been linked to the campaign, which has gone on for the past three years.
“The group relies on spear phishing attacks to infect its users, often using a malicious office document and decoy file containing content relevant to the target’s occupation or interests,” according to a report from Palo Alto Networks’ Unit 42 team. “The spear phishing attachment typically includes exploit code for a well-known Microsoft Office vulnerability, CVE-2012-0158, which is used to install the Trojan on the system and then display the decoy file, tricking the user into thinking the file opened correctly.”
The attackers used a backdoor Trojan named Elise after the sports car made by Group Lotus PLC of the United Kingdom. The tool appears to be unique to the group, and has morphed over time.
“A popular theme for the decoy documents was personnel rosters, largely claiming to be for specific military or government offices,” according to the research. “Another theme was the use of attractive pictures of Asian women that were sourced from the Internet. Some of the information contained in the decoys could be found on the Internet; however, it is worth noting none of the military or government themed decoys could be found. In particular, the decoys used against the Philippines were exclusively military and government themed, with the bulk purporting to be related to the Navy.”
“As we were unable to find any of the decoys online, and they purport to contain sensitive information, we have not included images of them, in case the information is legitimate,” Palo Alto Networks researchers noted in the paper. “One document is even stamped “Secret.””
The targets of the campaign were found in Vietnam, Philippines, Taiwan, Hong Kong and Indonesia.
“The Trojan backdoor and vulnerability exploits used in Operation Lotus Blossom aren’t cutting-edge by today’s standards, but these types of attacks can be detrimental if they are successful and give attackers access to sensitive data,” said Ryan Olson, intelligence director of Unit 42, in a statement. “The fact that older vulnerabilities are still being used tells us that until organizations adopt a prevention-based mindset and take steps to improve cyber hygiene, cyberattackers will continue to use legacy methods because they still work well.”