Chinese-linked hacking group Thrip launching malware attacks on satellite and defence companies

Thrip has been targeting the operational side of US and Southeast Asian firms since 2013

A wide-reaching malware-based espionage operation, undetected for five years, has infiltrated satellite, telecoms and defence companies across the US and Southeast Asia.

Originating from machines in China, security company Symantec has been monitoring the group Thrip since 2013, gathering information about a malware campaign with an array of highly sensitive targets that point to espionage or even disruption.

Using 'living off the land' tactics, a growing trend of attackers using tools already installed on targeted devices to blend into victims' networks and hide malicious activity among legitimate processes, Thrip launched attacks from three computers in China, according to Symantec's security response attack investigation team, in an attempt to spy on and even disrupt organisations' systems.

"The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won't notice their presence," said Symantec CEO Greg Clark. "They operate very quietly, blending into networks, and are only discovered using artificial intelligence that can identify and flag their movements."

The use of such tactics mean attacks such as those launched by Thrip are taking longer for analysts to investigate, Symantec added, crediting the company's Targeted Attack Analytics (TAA) tool, which uses artificial intelligence to comb through a data lake of telemetry information to spot patterns associated with targeted attacks, facilitating the discovery.

Advertisement - Article continues below
Advertisement - Article continues below

Analysts grew more aware of Thrip's activities in January when they came across an attacker using the Microsoft Sysinternals tool PsExec to move laterally between machines in the infiltrated network of a Southeast Asian telecoms company. 

They learned the malicious actors were using PsExec to install a previously unknown malware, later identified as an updated version of Trojan.Rikamanu, which had ties with the group they had been monitoring for five years. Thrip were also using a new piece of malware identified as Infostealer.Catchamas in this attack.

"Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies," Clark continued. "We stand ready to work with appropriate authorities to address this serious threat."

Of the most concern to Symantec was Thrip's interest in the operational side of a satellite communications company, with the group seeking to infect computers running software that monitor and control satellites.

Geospatial imaging and mapping, as well as three different telecommunications firms, and a defence contractor, comprised the remaining targets, as the attackers mainly focused on devices in the operational arms of these organisations.

Advertisement - Article continues below

"From the initial alert triggered by TAA, we were able to follow a trail that eventually enabled us to see the bigger picture of a cyber espionage campaign originating from computers within China and targeting multiple organizations in the U.S. and Southeast Asia," Symantec's security response attack and investigation team wrote in its post.

"Espionage is the group's likely motive but given its interest in compromising operational systems, it could also adopt a more aggressive, disruptive stance should it choose to do so."

Symantec's disclosure of Thrip's activity follows a string of similar discoveries that feed into the evolution of threats organisations around the world now face in an increasingly complex cybersecurity landscape.

Researchers at Bitdefender, for instance, recently uncovered a sophisticated rootkit-based adware dubbed Zacinlo, capable of taking a screenshot of users' desktops, which had been covertly operating for six years. Similarly, Bitdefender discovered a remote access tool that had been running undetected since 2015, named RadRAT, which offers attackers full control over seized computers.

Perhaps more aligned with the motives of Thrip, the as-of-yet unidentified group behind Olympic Destroyer - which disrupted the 2018 Winter Olympics in South Korea - have resurrected their advanced malware, targeting biochemical threat prevention laboratories and the Russian financial sector for reasons cybersecurity firm Kaspersky suggests may range from geopolitical motives to intent to stir trouble on the international stage.

Image: Shutterstock

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now



What is cyber warfare?

20 Sep 2019

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020