Spring Dragon APT resurfaces targeting South China Sea markets

Spring Dragon APT resurfaces targeting South China Sea marketsAn advanced persistent threat (APT) known as Spring Dragon has been particularly targeting territories around the South China Sea, including Hong Kong, according to Kaspersky Lab.

In early 2017, Kaspersky Lab researchers noted increased activity by the Spring Dragon APT (also known as LotusBlossom). The attacks involved new and evolved tools and techniques and targeted countries around the South China Sea.

Spring Dragon is a long-running threat actor that has been targeting high profile political, governmental and educations organizations in Asia since 2012. Kaspersky Lab has been tracking the APT for the last few years.

In the wake of the renewed attacks of early 2017, Kaspersky Lab researchers have undertaken a detailed review of 600 Spring Dragon malware samples.

The company conducted telemetry finding that Taiwan had the largest number of attacks followed by Indonesia, Vietnam, the Philippines, Macau, Malaysia, Hong Kong and Thailand.

The attackers’ toolset includes a unique customized set of links to command and control servers for each malware: the malware samples contained more than 200 unique IP addresses overall.

This toolset was accompanied by customized installation data for each attack to make detection difficult.

The arsenal includes various backdoor modules with different characteristics and functionalities – although they all have the capability to download additional files to the victim’s machine, upload files to its servers and execute any executable file or command on the victim’s machine. This allows the attackers to undertake a number of malicious activities on the victim’s machine – particularly cyberespionage.

The malware compilation timestamps suggest a time zone of GMT +8 – although the experts warn that does not represent a reliable indicator of attribution.

“Organizations and businesses need to step up and manage risk on reputation and service guarantees,” Kaspersky Lab general manager for ANZ Anastasia Para Rae said.

 “The average loss from a single targeted attack is close to $1 million excluding reputational impact. In the event of cyberattack, a considerable investment is made for urgent response to improve software and infrastructure. The reverse needs to take place. We must not wait for attacks to happen for us to take precaution.”

First published in NetworksAsia