29 May 2017

Day eye laboratory: OceanLotus (sea lotus) APT report summary



Summary 
Since April 2012, there have been organized, planned and targeted long-term uninterrupted attacks on important areas such as the Chinese government, research institutes, maritime institutions, sea construction and shipping enterprises. We named it OceanLotus. 

The organization mainly through the harpoon attack and puddle attack and other methods, with a variety of social engineering means to penetrate, to the specific target groups to disseminate special Trojans, secret control of some government officials, outsourcers and industry experts, computer systems, Confidential information in the relevant areas of the system. 

Has been captured OceanLotus special Trojan samples more than 100, infected people throughout the 29 provincial-level administrative regions and 36 countries outside. Among them, 3% of the infected people in China. Beijing, Tianjin is the most infected areas of the two regions. 

In order to conceal the whereabouts, the organization has at least six countries registered in the C2 (also known as C & C, is the abbreviation of Command and Control) server domain name 35, the relevant server IP address 19, the server is distributed in more than 13 different countries The 

After February 2014, OceanLotus entered the active attack period, and in May 2014 launched the largest round of harpoon attack, a large number of victims because of the opening of the mail attachment and infected special Trojans. In May and September 2014, and in January 2015, the organization has also tampered with many government agencies, research institutes and foreign companies website and launched a horse, launched a multi-round, targeted water Pit attack. 

OceanLotus has used four different types of special Trojans. The early OceanLotus special Trojan technology is not complicated, easier to find and killing. But after 2014, OceanLotus special Trojans began to use documents, including camouflage, random encryption and self-destruction and a series of complex attack technology and security software against, killing and capturing the difficulty of greatly increased. And after November 2014, OceanLotus special Trojans began to use cloud control technology, the risk of attack, uncertainty and Trojans to identify the difficulty of killing are greatly enhanced. 

OceanLotus organization of the long attack period (for more than 3 years), the target clear attack, attack technology complex, accurate means of social means, indicating that the organization is not an ordinary civil society organizations, and is likely to have foreign government support Background, highly organized, specialized overseas state hacker organization. 

OceanLotus Overview

Since April 2012, an overseas hacker organization on the Chinese government, research institutes, maritime institutions, sea construction, shipping companies and other important areas related to an organized, planned, targeted long-term uninterrupted attack. The organization mainly through the harpoon attack and puddle attack and other methods, with a variety of social engineering means to penetrate, to the specific target groups to disseminate special Trojans, secret control of some government officials, outsourcers and industry experts, computer systems, Confidential information in the relevant areas of the system.

According to some of the organization's attack characteristics, we named it OceanLotus.

The first special Trojan horse that has been captured with OceanLotus is available in April 2012. In the next three years, we have captured the organization with four different forms of special Trojans more than 100 samples, these Trojans infected people throughout the 29 provincial-level administrative regions and 36 countries outside the country. In addition, in order to conceal the whereabouts of the organization has at least six countries registered for remote control of infected people C2 (also known as C & C, is the abbreviation of Command and Control) server domain name 35, 19 related server IP address, Servers are distributed in more than 13 different countries around the world.

From the history of OceanLotus attacks, the following points and major events are most worthy of attention: 

In April 2012, the first discovery of the organization with the Trojans. OceanLotus's infiltration attacks began. But in the next two years or so, OceanLotus is not active. 

In February 2014, OceanLotus began to launch targeted attacks on our domestic targets by means of harpoon attacks, OceanLotus entered the active period, and in the next 14 months on multiple targets of our country launched an uninterrupted continuous attack. 

In May 2014, OceanLotus launched a large-scale harpoon attack on an authoritative marine research agency in China and formed the highest peak of the harpoon attack in the past 14 months. 

Also in May 2014, OceanLotus also tampered with the official website of a domestic marine construction agency and linked to the formation of the first round of large-scale puddle attack. 

In June 2014, OceanLotus began to send a large number of Chinese fishery resources related institutions group haircut attack. 

In September 2014, OceanLotus launched a second-round puddle attack on China's watershed construction-related industry. 

November 2014, OceanLotus began to large-scale replacement of the original special Trojan horse as a more aggressive and hidden cloud control Trojans, and continue to attack the target of our country. 

January 19, 2015, OceanLotus for the Chinese government a maritime agency website linked to horse attack, the third round of large-scale puddle attack formation. 

Since March 2015, OceanLotus has launched an attack against more Chinese government agencies. 


Through the tracking and forensic evidence of the activities of the OceanLotus organization for several years, we have identified a large number of victims. The picture shows the trend of distribution of the number of computers per month in the world since February 2014, OceanLotus special trojans.



From the geographical distribution point of view, OceanLotus special Trojan domestic infection accounted for 92.3% of the total global infection. Among the victims in the territory, the largest in Beijing, accounting for 22.7%, followed by Tianjin, 15.5%.



The figure below shows the number of marine lotus special Trojan population distribution.


Technical analysis shows that the initial OceanLotus special Trojan technology is not complicated, easier to find and killing. But after 2014, OceanLotus special Trojans began to use documents, including camouflage, random encryption and self-destruction and a series of complex attack technology and security software against, killing and capturing the difficulty of greatly increased. And after November 2014, OceanLotus special Trojans began to turn to cloud control technology, the risk of attack, uncertainty and Trojans to identify the difficulty of killing are greatly enhanced.

On the whole, OceanLotus has a long attack time (for more than three years). The aim of the attack is clear, the complexity of the attack technique and the accuracy of the social means are that the organization is not an ordinary civil hacker organization. With a foreign government to support the background, highly organized, professional outside the national hacker organization.

No comments: