Note: Much of this information has been taken from an English translation of Qihoo 360’s SkyEye Labs report, and has been interpreted accordingly. The original report in Chinese can be found here.
In May 2015, the Chinese Internet company Qihoo 360’s SkyEye Labs accused an advanced persistent threat (APT) hacker group named “OceanLotus” of stealing Chinese government information. Specifically, the company claimed the activity was in direct employ of a hostile foreign government.
According to the English-translation of the report, the activity has been targeting China since April 2012, targeting maritime institutions, shipping enterprises, Chinese government departments, and research institutes, and stealing sensitive information. Two primary tactics have been identified: socially engineered e-mails with attractive lures designed to entice recipients to click on attachments with embedded Trojans, and what is best described as watering hole attacks. More than 100 OceanLotus Trojan program samples of four different types of Trojans had been planted in computers in 29 Chinese provincial regions, and 36 countries, according to SkyEye Labs.
The activity started in April 2012 employing the “watering hole” technique, but then stopped for a period of two years. It commenced again in February 2014 in the form of spearphishing. Despite the fact that this activity targeted other countries, 92% of the victims were located in China, with Beijing suffering the lion’s share of attacks.