Findings
Indicate Potentially State-sponsored Adversary Operating Over Three Years
Dubai, U.A.E.,
June 17, 2015 – Palo Alto Networks®
(NYSE: PANW), the leader in enterprise security, shared research that uncovers a
series of potentially state-sponsored cyberattacks targeting government and
military organizations in countries throughout Southeast Asia.
Discovered by
the Palo Alto Networks Unit 42 threat intelligence team and dubbed “Operation
Lotus Blossom”, the attacks appear to be an attempt to gain inside information
on the operation of nation-states throughout the region. The campaign dates as far back as three years
and involves targets in Hong Kong, Taiwan, Vietnam, the Philippines and
Indonesia.
Over 50
separate attacks have been identified in Operation Lotus Blossom. They all use
a custom-built Trojan, named “Elise” to deliver highly targeted spear phishing
emails and gain an initial foothold on targeted systems. Unit 42 believes the
Elise malware was developed to specifically meet the unique needs of the operation,
but also is being used in other non-related attacks by the adversary.
The attacks,
which display the use of custom-built tools, extensive resources, and
persistence across multiple years, suggest a well funded and organized team is
behind them. Given these variables and the nature of the targets, Unit 42
believes the motivation for the attacks is cyber espionage and the actors
behind them are associated with or sponsored by a nation-state with strong
interests in the regional affairs of Southeast Asia.
Saeed Agha,
General Manager, Palo Alto Networks Middle East, said that the Unit 42 team discovered
the Lotus Blossom campaign using the recently announced Palo Alto Networks AutoFocus
service, which allowed the team’s security analysts to correlate and
interrogate security events from over 6,000 WildFire subscribers and other
threat intelligence sources. These attacks are automatically prevented for all
Palo Alto Networks Threat Prevention and WildFire subscribers. Others are
encouraged to check their networks for signs of intrusion and add relevant
indicators to their security controls, all of which are detailed in the full
report.
QUOTE
·
"The
Trojan backdoor and vulnerability exploits used in Operation Lotus Blossom aren’t
cutting-edge by today’s standards, but these types of attacks can be
detrimental if they are successful and give attackers access to sensitive data.
The fact that older vulnerabilities are still being used tells us that until
organizations adopt a prevention-based mindset and take steps to improve cyber
hygiene, cyberattackers will continue to use legacy methods because they still work
well.”
-
Ryan Olson, intelligence director,
Unit 42, Palo Alto Networks
With the
AutoFocus service, security practitioners gain instant access to
actionable intelligence derived from billions of file analysis
artifacts based on the files collected from of over 5,000
global enterprises, service providers, and government organization
routinely targeted by advanced, targeted attacks. By delivering
context, such as the origin and uniqueness of a particular threat, or relevance
to an organization’s industry, the AutoFocus cyber threat intelligence service
is able to:
·
Expose
the latest threat tactics, techniques, and procedures used by attackers;
·
Attribute
attacks to specific adversaries;
·
Identify
how specific threats fit into a larger campaign; and
·
Distinguish
between commodity malware versus highly customized or targeted malware.
Recommendations
·
Read
more details of the Lotus Blossom attacks on the Unit 42 blog:
http://researchcenter.
·
Access
the complete report here, including all Indicators of Compromise (IOCs): https://www.paloaltonetworks.
·
Subscribe
to Unit 42 research and analysis updates: https://www.paloaltonetworks.
