ATK1

ATK1 (aka: Lotus Blossom, Spring Dragon, DragonFish) is a state sponsored (China) first seen in 2012.

 

The group focuses mainly on the territories bordering its country of origin (South China Sea); The group primarily targets government institutions and political parties; Educational establishments such as universities, as well as companies in the telecommunications sector are not spared.

 

They notably used the Elise malware, it was intended to spy on many government organizations, mainly in Southeast Asia. We can think that this campaign was intended to support the Silk Roads project by securing the maritime side of the latter.

 

At the end of 2015, its “Emissary” malware received numerous updates, probably to avoid being detected by security products.

 

After a very active period, the group remains discreet until the beginning of 2017.

 

Other campaigns are carried out sporadically until 2018, still using Elise as the main attack vector, and sometimes using new exploits, such as CVE-2017-11882. ATK1 is capable of performing very large operations over a long period of time, while developing its specific arsenal.

 

These targets are extremely precise and the group rarely deviates from them.

 

Examination of the group's targets reveals that they correspond to the preferred geographic areas followed by offices 2 and 6 (units 61398 and 61726), which are the United States / Canada and South Asia / Taiwan areas, respectively. These offices are part of the Network System Department (NSD), which reports directly to the Strategic Support Force (SSF), which is part of the PLA Staff Department of the Central Military Commission. The information gathered through these espionage campaigns therefore has an undeniable strategic dimension for the Chinese military administration.

 

Références :

• http://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting

• http://pwc.blogs.com/cyber_security_updates/2015/12/elise-security-through-obesity.html

• http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/

• http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/

• http://securelist.com/the-spring-dragon-apt/70726/

• http://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf

• http://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html

• http://www.trendmicro.com.my/vinfo/my/security/news/cyber-attacks/esile-targeted-attack-campaign-hits-apac-governments

• https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=Lotus%20Blossom%2C%20Spring%20Dragon%2C%20Thrip

• https://attack.mitre.org/groups/G0030/

• https://community.rsa.com/t5/netwitness-blog/lotus-blossom-continues-asean-targeting/ba-p/518891

• https://securelist.com/blog/research/70726/the-spring-dragon-apt/

• https://securelist.com/spring-dragon-updated-activity/79067/

• https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/

• https://unit42.paloaltonetworks.com/operation-lotus-blossom/

• https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-46/Accenture-Security-Elise-Threat-Analysis.pdf

• https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf

• https://www.cfr.org/cyber-operations/lotus-blossom