A China-linked cyber espionage group tracked by security firms as Lotus Blossom, Elise, Esile and Spring Dragon has used more than 600 malware samples in its attacks over the past years, according to Kaspersky Lab.
Spring Dragon has been around since at least 2012, but there is some evidence suggesting that it may have been active since 2007. The state-sponsored threat group has mainly targeted military and government organizations in Southeast Asia.
Kaspersky Lab learned recently from a research partner in Taiwan of new attacks launched by the group. Data collected by the security firm indicates that the APT actor has also targeted political parties, universities and other educational institutions, and companies in the telecommunications sector.
The cyberspies appear to focus on countries around the South China Sea, including Taiwan, Indonesia, Vietnam, the Philippines, Hong Kong, Malaysia and Thailand.
The threat actor has been using a wide range of tools, including backdoors that can download other files to the compromised machine, upload files to a remote server, and execute files and commands. Kaspersky Lab has identified a total of more than 600 malware samples used over the past years.
According to the security firm, the malware leverages a command and control (C&C) infrastructure of more than 200 unique IP addresses and domains, with each sample using hardcoded campaign codes and custom C&C addresses.
The C&C servers used by Spring Dragon are located in several countries, but roughly two-thirds are located in Hong Kong and the United States. Some servers have also been spotted in Germany, China and Japan.
Based on malware compilation timestamps, which Kaspersky believes have not been altered, the attackers appear to be located in the GMT+8 timezone, which corresponds to China, Indonesia, Malaysia, Mongolia, Singapore, Taiwan, the Philippines and Western Australia.
The malware compilation timestamps also suggest that the members of the group either work in two shifts, or Spring Dragon malware has been compiled by two different groups, one of which may be located in Europe.
“The number of malware samples which we managed to collect (over 600) for the group surpassed many others, and suggests an operation on a massive scale. It’s possible that this malware toolkit is offered in specialist public or private forums to any buyers, although, to date, we haven’t seen this,” explained Kaspersky’s Noushin Shabab.