Kaspersky
Lab reports on resurgent threat actor targeting South China Sea area
Lab reports on resurgent threat actor targeting South China Sea area
11 July 2017
In early 2017, Kaspersky Lab researchers noted increased
activity by an APT called Spring Dragon (also known as LotusBlossom). The
attacks involved new and evolved tools and techniques and targeted countries
around the South China Sea. Kaspersky Lab’s experts have published their
analysis of the attackers’ toolset over time in order to help organizations
better understand the nature of the threat and protect themselves.
activity by an APT called Spring Dragon (also known as LotusBlossom). The
attacks involved new and evolved tools and techniques and targeted countries
around the South China Sea. Kaspersky Lab’s experts have published their
analysis of the attackers’ toolset over time in order to help organizations
better understand the nature of the threat and protect themselves.
Spring Dragon is a long-running threat actor that has been
targeting high profile political, governmental and educations organisations in
Asia since 2012. Kaspersky Lab has been tracking the APT for the last
few years.
targeting high profile political, governmental and educations organisations in
Asia since 2012. Kaspersky Lab has been tracking the APT for the last
few years.
In early 2017,
Kaspersky Lab identified renewed attacks in the threat actor’s favoured South
China Sea region. According to Kaspersky Lab telemetry, Taiwan had the largest
number of attacks followed by Indonesia, Vietnam, the Philippines, Macau,
Malaysia, Hong Kong and Thailand. To help organizations better understand and
protect against the threat, Kaspersky Lab’s researchers have undertaken a detailed
review of 600 Spring Dragon malware samples.
Kaspersky Lab identified renewed attacks in the threat actor’s favoured South
China Sea region. According to Kaspersky Lab telemetry, Taiwan had the largest
number of attacks followed by Indonesia, Vietnam, the Philippines, Macau,
Malaysia, Hong Kong and Thailand. To help organizations better understand and
protect against the threat, Kaspersky Lab’s researchers have undertaken a detailed
review of 600 Spring Dragon malware samples.
●
The attackers’
toolset includes a unique customised set of links to command and control
servers for each malware: the malware samples contained more than 200 unique IP
addresses overall.
The attackers’
toolset includes a unique customised set of links to command and control
servers for each malware: the malware samples contained more than 200 unique IP
addresses overall.
●
This toolset was
accompanied by customised installation data for each attack to make detection
difficult.
This toolset was
accompanied by customised installation data for each attack to make detection
difficult.
●
The arsenal includes
various backdoor modules with different characteristics and functionalities –
although they all have the capability to download additional files to the
victim’s machine, upload files to its servers and execute any executable file
or command on the victim’s machine. This allows the attackers to undertake a
number of malicious activities on the victim’s machine – particularly
cyberespionage.
The arsenal includes
various backdoor modules with different characteristics and functionalities –
although they all have the capability to download additional files to the
victim’s machine, upload files to its servers and execute any executable file
or command on the victim’s machine. This allows the attackers to undertake a
number of malicious activities on the victim’s machine – particularly
cyberespionage.
●
The malware
compilation timestamps suggest a time zone of GMT +8 – although the experts
warn that does not represent a reliable indicator of attribution.
The malware
compilation timestamps suggest a time zone of GMT +8 – although the experts
warn that does not represent a reliable indicator of attribution.
General Manager ANZ,
Anastasia Para Rae says, “Organisations
and businesses need to step up and manage risk on reputation and service
guarantees. The average loss from a single targeted attack is close to
$1,000,000 excluding reputational impact. In the event of cyberattack, a considerable
investment is made for urgent response to improve software and infrastructure.
The reverse needs to take place. We must not wait for attacks to happen for us
to take precaution.”
Anastasia Para Rae says, “Organisations
and businesses need to step up and manage risk on reputation and service
guarantees. The average loss from a single targeted attack is close to
$1,000,000 excluding reputational impact. In the event of cyberattack, a considerable
investment is made for urgent response to improve software and infrastructure.
The reverse needs to take place. We must not wait for attacks to happen for us
to take precaution.”
GReAT. Senior
Security Researcher, Noushin Shabab adds, “We
believe that Spring Dragon is going to continue resurfacing regularly in the
Asian region and it’s important to be familiar with its tools and techniques.
We encourage individuals and businesses to have good Yara rules and other
detection mechanisms in place and strongly recommended they use – and regularly
audit – a multi layered approach to security.”
Security Researcher, Noushin Shabab adds, “We
believe that Spring Dragon is going to continue resurfacing regularly in the
Asian region and it’s important to be familiar with its tools and techniques.
We encourage individuals and businesses to have good Yara rules and other
detection mechanisms in place and strongly recommended they use – and regularly
audit – a multi layered approach to security.”
In order to protect
your personal or business data from cyberattacks, Kaspersky Lab advise the
following:
your personal or business data from cyberattacks, Kaspersky Lab advise the
following:
●
Implement an
advanced, multi-layered security solution that covers all networks, systems and
endpoints.
Implement an
advanced, multi-layered security solution that covers all networks, systems and
endpoints.
●
Educate and train
your personnel on social engineering as this method is often used to make a
victim open a malicious document or click on an infected link.
Educate and train
your personnel on social engineering as this method is often used to make a
victim open a malicious document or click on an infected link.
●
Conduct regular
security assessments of the organisations IT infrastructure.
Conduct regular
security assessments of the organisations IT infrastructure.
●
Use Kaspersky’s
Threat Intelligence that tracks cyberattacks, incident or threats and provides
customers with up-to-date relevant information that they are unaware of. Find out more at intelreports@kaspersky.com.
Use Kaspersky’s
Threat Intelligence that tracks cyberattacks, incident or threats and provides
customers with up-to-date relevant information that they are unaware of. Find out more at intelreports@kaspersky.com.
About
Kaspersky Lab
Kaspersky Lab
Kaspersky Lab is a
global cybersecurity company celebrating its 20 year anniversary in 2017.
Kaspersky Lab’s deep threat intelligence and security expertise is constantly
transforming into security solutions and services to protect businesses,
critical infrastructure, governments and consumers around the globe. The
company’s comprehensive security portfolio includes leading endpoint protection
and a number of specialized security solutions and services to fight
sophisticated and evolving digital threats. Over 400 million users are
protected by Kaspersky Lab technologies and we help 270,000 corporate clients
protect what matters most to them. Learn more at www.kaspersky.com.
global cybersecurity company celebrating its 20 year anniversary in 2017.
Kaspersky Lab’s deep threat intelligence and security expertise is constantly
transforming into security solutions and services to protect businesses,
critical infrastructure, governments and consumers around the globe. The
company’s comprehensive security portfolio includes leading endpoint protection
and a number of specialized security solutions and services to fight
sophisticated and evolving digital threats. Over 400 million users are
protected by Kaspersky Lab technologies and we help 270,000 corporate clients
protect what matters most to them. Learn more at www.kaspersky.com.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!