Exposing cyberattacks targeting government networks in Southeast Asia

Palo Alto Networks uncovered a series of potentially state-sponsored cyberattacks targeting government and military organizations in countries throughout Southeast Asia. Help Net Security has learned that their Unit 42 team has been gathering and analyzing data since January of 2015.


Dubbed “Operation Lotus Blossom”, the attacks appear to be an attempt to gain inside information on the operation of nation-states throughout the region. The campaign dates as far back as three years and involves targets in Hong Kong, Taiwan, Vietnam, the Philippines and Indonesia.

They’ve seen indications that other nations in Southeast Asia are also experiencing attacks, but due to lack of evidence, they cannot confirm that at this time.

Over 50 separate attacks have been identified. They all use a custom-built Trojan, named Elise to deliver highly targeted spear phishing emails and gain an initial foothold on targeted systems. Researchers believes the Elise malware was developed to specifically meet the unique needs of the operation, but also is being used in other non-related attacks by the adversary.

The attacks, which display the use of custom-built tools, extensive resources, and persistence across multiple years, suggest a well funded and organized team is behind them.

Given these variables and the nature of the targets, Palo Alto Networks thinks the motivation for the attacks is cyber espionage and the actors behind them are associated with or sponsored by a nation-state with strong interests in the regional affairs of Southeast Asia.


“The Trojan backdoor and vulnerability exploits used in Operation Lotus Blossom aren’t cutting-edge by today’s standards, but these types of attacks can be detrimental if they are successful and give attackers access to sensitive data. The fact that older vulnerabilities are still being used tells us that until organizations adopt a prevention-based mindset and take steps to improve cyber hygiene, cyberattackers will continue to use legacy methods because they still work well,” said Ryan Olson, intelligence director, Unit 42, Palo Alto Networks.

The full report is available here (registration required).

Don't miss