14 DAY TRIAL // A member of the French Ministry of Foreign Affairs working in Taipei, Taiwan, was the target of a spear phishing campaign that fits the pattern of regular attacks carried out via Operation Lotus Blossom.
According to cyber-security vendor Palo Alto Networks, the spear phishing emails contained weaponized Word files that, if opened, infected the targets' PC with the Emissary trojan, a malware downloader that would eventually install the Elise backdoor, a common tool used by the APT group behind the Operation Lotus Blossom campaign in the past.
The Emissary trojan would exploit the Windows OLE Automation Array Remote Code Execution Vulnerability (CVE-2014-6332), and allow the backdoor full control over infected PCs.
Infections via a well-planned, targeted spear phishing campaign
To make sure victims would open the spear phishing email, the hackers used an email that invited the French diplomat to participate in a Science and Technology conference held in Hsinchu, Taiwan.
The Word files attached to the email contained an invitation to the conference and the application form.
The email was sent on November 10, while the conference, a real event, was bound to take place on November 13.
Operation Lotus Blossom hackers are known to target only political and military objectives, and the interest in the French diplomat was because of Taiwan's close relations with France, which is Taiwan's second largest technology partner and fourth largest trading partner in Europe.
Political implications and attribution
The conference was also sponsored by leaders of the Democratic Progressive Party (DPP), a pro-Western Taiwanese political party expected to win the country's general elections, set to be held on January 16, 2016.
The DPP is the main opposition to Kuomintang (KMT), a pro-Chinese political party.
Earlier in December, FireEye warned of a similar cyber-espionage campaign carried out by the APT16 cyber-espionage group, targeting Taiwanese politicians and members of the local pro-DPP media.
In that specific instance, APT16 used different Windows vulnerabilities to infect victims with backdoors, so it may not be the same group. FireEye suspected that the Chinese government was behind APT16 and that particular campaign.
Palo Alto refrained from giving attribution to a specific country but was sure that this short spear-phishing campaign was carried out by Operation Lotus Blossom hackers.