Lotus Blossom, Spring Dragon, Thrip
Description
(Kaspersky) Spring Dragon is a long running APT actor that operates on a massive scale. The group has been running campaigns, mostly in countries and territories around the South China Sea, since as early as 2012. The main targets of Spring Dragon attacks are high profile governmental organizations and political parties, education institutions such as universities, as well as companies from the telecommunications sector.
Spring Dragon is known for spear phishing and watering hole techniques and some of its tools have previously been analyzed and reported on by security researchers, including Kaspersky Lab.
Operation Poisoned News, TwoSail Junk may be one of their campaigns.
Names
| Name | Name-Giver |
|---|---|
| Lotus Blossom | Palo Alto |
| Spring Dragon | Kaspersky |
| Dragonfish | iDefense |
| Billbug | Symantec |
| Thrip | Symantec |
| Bronze Elgin | SecureWorks |
| CTG-8171 | SecureWorks |
| ATK 1 | Thales |
| ATK 78 | Thales |
| Red Salamander | PWC |
Country
Sponsor
State-sponsored
Motivation
- Information theft and espionage
First Seen
2012
Observed Sectors
Observed Countries
- ASEAN
- Brunei
- Cambodia
- Hong Kong
- Indonesia
- Japan
- Laos
- Macao
- Malaysia
- Myanmar
- Philippines
- Singapore
- Taiwan
- Thailand
- USA
- Vietnam
Tools
- Catchamas
- Elise
- Emissary
- gpresult
- Hannotog
- Mimikatz
- PsExec
- Rikamanu
- Sagerunex
- Spedear
- WMI Ghost
- Living off the Land
Operations
- 2015-06: Operation “Lotus Blossom” Today Unit 42 published new research identifying a persistent cyber espionage campaign targeting government and military organizations in Southeast Asia. The adversary group responsible for the campaign, which we named “Lotus Blossom,” is well organized and likely state-sponsored, with support from a country that has interests in Southeast Asia. The campaign has been in operation for some time; we have identified over 50 different attacks taking place over the past three years. https://unit42.paloaltonetworks.com/operation-lotus-blossom/
- 2015-11: Attack on French Diplomat We observed a targeted attack in November directed at an individual working for the French Ministry of Foreign Affairs. The attack involved a spear-phishing email sent to a single French diplomat based in Taipei, Taiwan and contained an invitation to a Science and Technology support group event. https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/
- 2017 Early: In the beginning of 2017, Kaspersky Lab became aware of new activities by an APT actor we have been tracking for several years called Spring Dragon (also known as LotusBlossom). Information about the new attacks arrived from a research partner in Taiwan and we decided to review the actor’s tools, techniques and activities. Using Kaspersky Lab telemetry data we detected the malware in attacks against some high-profile organizations around the South China Sea. https://securelist.com/spring-dragon-updated-activity/79067/
- 2018-01: Attacks on Association of South East Asian Nations (ASEAN) countries During the last weeks of January (2018), nation state actors from Lotus Blossom conducted a targeted malware spam campaign against the Association of South East Asian Nations (ASEAN) countries. https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf
- 2018-01: Back in January 2018, TAA triggered an alert at a large telecoms operator in Southeast Asia. https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
- 2018-06: Since Symantec first exposed the Thrip group in 2018, the stealthy China-based espionage group has continued to mount attacks in South East Asia, hitting military organizations, satellite communications operators, and a diverse range of other targets in the region. https://www.symantec.com/blogs/threat-intelligence/thrip-apt-south-east-asia
- 2022-03: Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority
- 2024-08: Billbug: Intrusion Campaign Against Southeast Asia Continues https://www.security.com/threat-intelligence/billbug-china-espionage
Information
Mitre Attack
Other Information
Uuid
3b0d3a5d-1858-4be6-b23e-c2620e6e1065
Last Card Change
2025-06-27