Lotus Blossom: A new cyber threat in the Orient

China’s notoriously prolific band of state-sanctioned hackers would appear to be prime suspects in a newly discovered three-year campaign against multiple government and military targets in south-east Asia. Whilst western media continues to focus on the cyber threat facing our governments and private businesses from the East, it’s worth remembering that many countries in that part of the world have similar concerns.

Operation Lotus Blossom, as it’s being called by Palo Alto Networks, was discovered by the US security vendor’s Unit 42 research group. It details its findings in a new report which reveals over 50 individual attacks have already taken place since 2012. These targets are government and military entities in Hong Kong, Taiwan, Vietnam, the Philippines, and Indonesia – all countries a certain regional giant has a vested interest in keeping tabs on.

The malicious code itself arrives in the form of a classic spear-phishing email designed to trick the user into opening an attachment or clicking on a link which will then begin a covert malware download. The Trojan backdoor that is used in all of the attacks spotted so far is a variant on the Elise malware spotted in the wild previously. However, Pal Alto claimed that the attackers had developed three new relatively sophisticated versions with additional features such as the ability to evade detection in virtual environments, connect to command-and-control servers for more instructions, and exfiltrate data.

As with many similar APT/targeted attack style campaigns the attackers play the long game, deploying the info-stealing tool over years in order to get what they want. Palo Alto Networks intelligence director, Ryan Olson, unfortunately couldn’t tell me exactly what this info was, apart from the fact it is “information that is only available to government and military organisations in Southeast Asia.”

Attribution distraction

Palo Alto isn’t prepared to stale its name on where these attacks have come from – which is fair enough in an age when obfuscation tools and techniques make this incredibly difficult to do with any certainty. It would say this though:

“While we cannot attribute these attacks to those of a specific nation state, the pattern indicates a highly persistent adversary with the ability to develop custom tools, and maintain command and control infrastructure, over a long period of time. This evidence is consistent with a nation state adversary with a strong interest in the militaries of Southeast Asian nations.”

In fact, it’s arguable that by focusing too much on attribution, IT leaders are in danger of getting distracted from what really matters in these cases: learning their lessons and investing in the right tools and strategies to make sure a similar attack doesn’t happen again in the future. It’s what Aussie Signals Directorate veteran and current Telstra CISO Mike Burgess has called “attribution distraction”.

This incident is a good opportunity, however, to remember that it’s not just the West under attack from state-sponsored operatives. In fact, it calls to mind a similar campaign uncovered last year by Cyber Squared. That series of attacks, also against South China Seas nations, was attributed to China. Then as now, it’s worth reminding western firms with business interest in APAC – which is most major firms these days, to be honest – to play close attention to cyber risk.

“Cyber espionage groups gather information through whatever means are available to them and in some cases that means there is collateral damage,” Olson told me. “A private company may have access to the information, or be used as a stepping stone to help the attacker gain access to it. We suggest that anyone who does business in the region review the indicators in the report to investigate whether or not their organisation has been a target of Lotus Blossom.”


« Rant: Paper still beats digital for many tasks


Brain tech report: The $35 billion niche waiting to break »
Phil Muncaster

Phil Muncaster has been writing about technology since joining IT Week as a reporter in 2005. After leaving his post as news editor of online site V3 in 2012, Phil spent over two years covering the Asian tech scene from his base in Hong Kong. Now back in London, he always has one eye on what's happening out East.

  • twt
  • Mail


Do you think your smartphone is making you a workaholic?