Kaspersky Lab is warning of activity from a threat actor targeting countries around the South China Sea. The cybersecurity firm has seen increased activity by an advanced persistent threat (APT) called Spring Dragon (or LotusBlossom) since 2017 that involve new and evolved tools and techniques.
Kaspersky Lab Global Research & Analysis Team (GReAT) Senior Security Researcher Noushin Shabab said, “We believe that
Spring Dragon is going to continue resurfacing regularly in the Asian
region and it's important to be familiar with its tools and techniques.
We encourage individuals and businesses to have good YARA rules* and
other detection mechanisms in place and strongly recommended they use –
and regularly audit – a multilayered approach to security.”
Dragon has been targeting high profile political, governmental and
educational organisations in Asia since 2012. Kaspersky Lab has been tracking the APT for the last few years.
early 2017, Kaspersky Lab identified renewed attacks in the threat
actor’s target region. According to Kaspersky Lab telemetry, Taiwan had
the largest number of attacks followed by Indonesia, Vietnam, the
Philippines, Macau, Malaysia, Hong Kong and Thailand. To help
organisations better understand and protect against the threat,
Kaspersky Lab’s researchers have undertaken a detailed review of 600
Spring Dragon malware samples.
Kaspersky Lab’s overview of Spring Dragon’s tools shows that:
The attackers’ toolset includes a unique customised set of links to
command and control servers for each malware: the malware samples
contained more than 200 unique IP addresses overall.
- This toolset was accompanied by customised installation data for each attack to make detection difficult.
The arsenal includes various backdoor modules with different
characteristics and functionalities – although they all have the
capability to download additional files to the victim’s machine, upload
files to its servers and execute any executable file or command on the
victim’s machine. This allows the attackers to undertake a number of
malicious activities on the victim’s machine – particularly
- The malware compilation timestamps suggest a time zone of GMT +8
– although the experts warn that does not represent a reliable
indicator of attribution. Countries which are in this time zone include
Brunei, China including Hong Kong, Singapore, Taiwan, the Philippines,
Western Australia as well as parts of Indonesia.
Lab GM ANZ Anastasia Para Rae says, “Organisations and businesses need
to step up and manage risk on reputation and service guarantees. The
average loss from a single targeted attack is close to US$1,000,000
excluding reputational impact. In the event of cyberattack, a
considerable investment is made for urgent response to improve software
and infrastructure. The reverse needs to take place. We must not wait
for attacks to happen for us to take precaution.”
In order to protect your personal or business data from cyberattacks, Kaspersky Lab advises companies to:
- Implement an advanced, multilayered security solution that covers all networks, systems and endpoints.
Educate and train your personnel on social engineering as this method
is often used to make a victim open a malicious document or click on an
- Conduct regular security assessments of the organisation's IT infrastructure.
*YARA is a tool for pattern matching that helps cybersecurity researchers detect and identify malware.