Chinese-linked hacking group Thrip launching malware attacks on satellite and defence companies

Thrip has been targeting the operational side of US and Southeast Asian firms since 2013

A wide-reaching malware-based espionage operation, undetected for five years, has infiltrated satellite, telecoms and defence companies across the US and Southeast Asia.

Originating from machines in China, security company Symantec has been monitoring the group Thrip since 2013, gathering information about a malware campaign with an array of highly sensitive targets that point to espionage or even disruption.

Advertisement - Article continues below

Using 'living off the land' tactics, a growing trend of attackers using tools already installed on targeted devices to blend into victims' networks and hide malicious activity among legitimate processes, Thrip launched attacks from three computers in China, according to Symantec's security response attack investigation team, in an attempt to spy on and even disrupt organisations' systems.

"The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won't notice their presence," said Symantec CEO Greg Clark. "They operate very quietly, blending into networks, and are only discovered using artificial intelligence that can identify and flag their movements."

The use of such tactics mean attacks such as those launched by Thrip are taking longer for analysts to investigate, Symantec added, crediting the company's Targeted Attack Analytics (TAA) tool, which uses artificial intelligence to comb through a data lake of telemetry information to spot patterns associated with targeted attacks, facilitating the discovery.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Analysts grew more aware of Thrip's activities in January when they came across an attacker using the Microsoft Sysinternals tool PsExec to move laterally between machines in the infiltrated network of a Southeast Asian telecoms company. 

They learned the malicious actors were using PsExec to install a previously unknown malware, later identified as an updated version of Trojan.Rikamanu, which had ties with the group they had been monitoring for five years. Thrip were also using a new piece of malware identified as Infostealer.Catchamas in this attack.

"Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies," Clark continued. "We stand ready to work with appropriate authorities to address this serious threat."

Of the most concern to Symantec was Thrip's interest in the operational side of a satellite communications company, with the group seeking to infect computers running software that monitor and control satellites.

Geospatial imaging and mapping, as well as three different telecommunications firms, and a defence contractor, comprised the remaining targets, as the attackers mainly focused on devices in the operational arms of these organisations.

Advertisement - Article continues below

"From the initial alert triggered by TAA, we were able to follow a trail that eventually enabled us to see the bigger picture of a cyber espionage campaign originating from computers within China and targeting multiple organizations in the U.S. and Southeast Asia," Symantec's security response attack and investigation team wrote in its post.

"Espionage is the group's likely motive but given its interest in compromising operational systems, it could also adopt a more aggressive, disruptive stance should it choose to do so."

Symantec's disclosure of Thrip's activity follows a string of similar discoveries that feed into the evolution of threats organisations around the world now face in an increasingly complex cybersecurity landscape.

Researchers at Bitdefender, for instance, recently uncovered a sophisticated rootkit-based adware dubbed Zacinlo, capable of taking a screenshot of users' desktops, which had been covertly operating for six years. Similarly, Bitdefender discovered a remote access tool that had been running undetected since 2015, named RadRAT, which offers attackers full control over seized computers.

Advertisement - Article continues below

Perhaps more aligned with the motives of Thrip, the as-of-yet unidentified group behind Olympic Destroyer - which disrupted the 2018 Winter Olympics in South Korea - have resurrected their advanced malware, targeting biochemical threat prevention laboratories and the Russian financial sector for reasons cybersecurity firm Kaspersky suggests may range from geopolitical motives to intent to stir trouble on the international stage.

Image: Shutterstock

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Recommended

What is cyber warfare?
Security

What is cyber warfare?

16 Mar 2020
Malware attacks using machine identities doubled in 2019
cyber security

Malware attacks using machine identities doubled in 2019

4 Aug 2020
Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020