ETDA ThaiCERT
Report
Search
Home > List all groups > Lotus Blossom, Spring Dragon, Thrip

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Lotus Blossom, Spring Dragon, Thrip

NamesLotus Blossom (Palo Alto)
Spring Dragon (Kaspersky)
Dragonfish (iDefense)
Billbug (Symantec)
Thrip (Symantec)
ATK 1 (Thales)
ATK 78 (Thales)
CountryChina China
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2012
Description(Kaspersky) Spring Dragon is a long running APT actor that operates on a massive scale. The group has been running campaigns, mostly in countries and territories around the South China Sea, since as early as 2012. The main targets of Spring Dragon attacks are high profile governmental organizations and political parties, education institutions such as universities, as well as companies from the telecommunications sector.

Spring Dragon is known for spear phishing and watering hole techniques and some of its tools have previously been analyzed and reported on by security researchers, including Kaspersky Lab.

Operation Poisoned News, TwoSail Junk may be one of their campaigns.
ObservedSectors: Aerospace, Defense, Education, Government, High-Tech, Satellites, Telecommunications.
Countries: ASEAN, Brunei, Cambodia, Hong Kong, Indonesia, Japan, Laos, Macao, Malaysia, Myanmar, Philippines, Singapore, Taiwan, Thailand, USA, Vietnam.
Tools usedCatchamas, Elise, Emissary, gpresult, Hannotog, Mimikatz, PsExec, Rikamanu, Sagerunex, Spedear, WMI Ghost, Living off the Land.
Operations performedJun 2015Operation “Lotus Blossom”
Today Unit 42 published new research identifying a persistent cyber espionage campaign targeting government and military organizations in Southeast Asia. The adversary group responsible for the campaign, which we named “Lotus Blossom,” is well organized and likely state-sponsored, with support from a country that has interests in Southeast Asia. The campaign has been in operation for some time; we have identified over 50 different attacks taking place over the past three years.
<https://unit42.paloaltonetworks.com/operation-lotus-blossom/>
Nov 2015Attack on French Diplomat
We observed a targeted attack in November directed at an individual working for the French Ministry of Foreign Affairs. The attack involved a spear-phishing email sent to a single French diplomat based in Taipei, Taiwan and contained an invitation to a Science and Technology support group event.
<https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/>
Early 2017In the beginning of 2017, Kaspersky Lab became aware of new activities by an APT actor we have been tracking for several years called Spring Dragon (also known as LotusBlossom).
Information about the new attacks arrived from a research partner in Taiwan and we decided to review the actor’s tools, techniques and activities.
Using Kaspersky Lab telemetry data we detected the malware in attacks against some high-profile organizations around the South China Sea.
<https://securelist.com/spring-dragon-updated-activity/79067/>
Jan 2018Attacks on Association of South East Asian Nations (ASEAN) countries
During the last weeks of January (2018), nation state actors from Lotus Blossom conducted a targeted malware spam campaign against the Association of South East Asian Nations (ASEAN) countries.
<https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting>
<https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf>
Jan 2018Back in January 2018, TAA triggered an alert at a large telecoms operator in Southeast Asia.
<https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets>
Jun 2018Since Symantec first exposed the Thrip group in 2018, the stealthy China-based espionage group has continued to mount attacks in South East Asia, hitting military organizations, satellite communications operators, and a diverse range of other targets in the region.
<https://www.symantec.com/blogs/threat-intelligence/thrip-apt-south-east-asia>
MITRE ATT&CK<https://attack.mitre.org/groups/G0030/>
<https://attack.mitre.org/groups/G0076/>

Last change to this card: 01 May 2020

Download this actor card in PDF or JSON format

Previous: LookBack, TA410
Next: Lucky Cat

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key