Chinese-linked hacking group Thrip launching malware attacks on satellite and defence companies

A wide-reaching malware-based espionage operation, undetected for five years, has infiltrated satellite, telecoms and defence companies across the US and Southeast Asia.

Originating from machines in China, security company Symantec has been monitoring the group Thrip since 2013, gathering information about a malware campaign with an array of highly sensitive targets that point to espionage or even disruption.

Using 'living off the land' tactics, a growing trend of attackers using tools already installed on targeted devices to blend into victims' networks and hide malicious activity among legitimate processes, Thrip launched attacks from three computers in China, according to Symantec's security response attack investigation team, in an attempt to spy on and even disrupt organisations' systems.

"The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won't notice their presence," said Symantec CEO Greg Clark. "They operate very quietly, blending into networks, and are only discovered using artificial intelligence that can identify and flag their movements."

The use of such tactics mean attacks such as those launched by Thrip are taking longer for analysts to investigate, Symantec added, crediting the company's Targeted Attack Analytics (TAA) tool, which uses artificial intelligence to comb through a data lake of telemetry information to spot patterns associated with targeted attacks, facilitating the discovery.

Analysts grew more aware of Thrip's activities in January when they came across an attacker using the Microsoft Sysinternals tool PsExec to move laterally between machines in the infiltrated network of a Southeast Asian telecoms company.

They learned the malicious actors were using PsExec to install a previously unknown malware, later identified as an updated version of Trojan.Rikamanu, which had ties with the group they had been monitoring for five years. Thrip were also using a new piece of malware identified as Infostealer.Catchamas in this attack.

"Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies," Clark continued. "We stand ready to work with appropriate authorities to address this serious threat."

Of the most concern to Symantec was Thrip's interest in the operational side of a satellite communications company, with the group seeking to infect computers running software that monitor and control satellites.

Geospatial imaging and mapping, as well as three different telecommunications firms, and a defence contractor, comprised the remaining targets, as the attackers mainly focused on devices in the operational arms of these organisations.

"From the initial alert triggered by TAA, we were able to follow a trail that eventually enabled us to see the bigger picture of a cyber espionage campaign originating from computers within China and targeting multiple organizations in the U.S. and Southeast Asia," Symantec's security response attack and investigation team wrote in its post.

"Espionage is the group's likely motive but given its interest in compromising operational systems, it could also adopt a more aggressive, disruptive stance should it choose to do so."

Symantec's disclosure of Thrip's activity follows a string of similar discoveries that feed into the evolution of threats organisations around the world now face in an increasingly complex cybersecurity landscape.

Researchers at Bitdefender, for instance, recently uncovered a sophisticated rootkit-based adware dubbed Zacinlo, capable of taking a screenshot of users' desktops, which had been covertly operating for six years. Similarly, Bitdefender discovered a remote access tool that had been running undetected since 2015, named RadRAT, which offers attackers full control over seized computers.

Perhaps more aligned with the motives of Thrip, the as-of-yet unidentified group behind Olympic Destroyer - which disrupted the 2018 Winter Olympics in South Korea - have resurrected their advanced malware, targeting biochemical threat prevention laboratories and the Russian financial sector for reasons cybersecurity firm Kaspersky suggests may range from geopolitical motives to intent to stir trouble on the international stage.

Image: Shutterstock

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.