Chinese-linked hacking group Thrip launching malware attacks on satellite and defence companies

Thrip has been targeting the operational side of US and Southeast Asian firms since 2013

A wide-reaching malware-based espionage operation, undetected for five years, has infiltrated satellite, telecoms and defence companies across the US and Southeast Asia.

Originating from machines in China, security company Symantec has been monitoring the group Thrip since 2013, gathering information about a malware campaign with an array of highly sensitive targets that point to espionage or even disruption.

Advertisement - Article continues below

Using 'living off the land' tactics, a growing trend of attackers using tools already installed on targeted devices to blend into victims' networks and hide malicious activity among legitimate processes, Thrip launched attacks from three computers in China, according to Symantec's security response attack investigation team, in an attempt to spy on and even disrupt organisations' systems.

"The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won't notice their presence," said Symantec CEO Greg Clark. "They operate very quietly, blending into networks, and are only discovered using artificial intelligence that can identify and flag their movements."

The use of such tactics mean attacks such as those launched by Thrip are taking longer for analysts to investigate, Symantec added, crediting the company's Targeted Attack Analytics (TAA) tool, which uses artificial intelligence to comb through a data lake of telemetry information to spot patterns associated with targeted attacks, facilitating the discovery.

Advertisement - Article continues below
Advertisement - Article continues below

Analysts grew more aware of Thrip's activities in January when they came across an attacker using the Microsoft Sysinternals tool PsExec to move laterally between machines in the infiltrated network of a Southeast Asian telecoms company. 

They learned the malicious actors were using PsExec to install a previously unknown malware, later identified as an updated version of Trojan.Rikamanu, which had ties with the group they had been monitoring for five years. Thrip were also using a new piece of malware identified as Infostealer.Catchamas in this attack.

"Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies," Clark continued. "We stand ready to work with appropriate authorities to address this serious threat."

Of the most concern to Symantec was Thrip's interest in the operational side of a satellite communications company, with the group seeking to infect computers running software that monitor and control satellites.

Geospatial imaging and mapping, as well as three different telecommunications firms, and a defence contractor, comprised the remaining targets, as the attackers mainly focused on devices in the operational arms of these organisations.

Advertisement - Article continues below

"From the initial alert triggered by TAA, we were able to follow a trail that eventually enabled us to see the bigger picture of a cyber espionage campaign originating from computers within China and targeting multiple organizations in the U.S. and Southeast Asia," Symantec's security response attack and investigation team wrote in its post.

"Espionage is the group's likely motive but given its interest in compromising operational systems, it could also adopt a more aggressive, disruptive stance should it choose to do so."

Symantec's disclosure of Thrip's activity follows a string of similar discoveries that feed into the evolution of threats organisations around the world now face in an increasingly complex cybersecurity landscape.

Researchers at Bitdefender, for instance, recently uncovered a sophisticated rootkit-based adware dubbed Zacinlo, capable of taking a screenshot of users' desktops, which had been covertly operating for six years. Similarly, Bitdefender discovered a remote access tool that had been running undetected since 2015, named RadRAT, which offers attackers full control over seized computers.

Advertisement - Article continues below

Perhaps more aligned with the motives of Thrip, the as-of-yet unidentified group behind Olympic Destroyer - which disrupted the 2018 Winter Olympics in South Korea - have resurrected their advanced malware, targeting biochemical threat prevention laboratories and the Russian financial sector for reasons cybersecurity firm Kaspersky suggests may range from geopolitical motives to intent to stir trouble on the international stage.

Image: Shutterstock




What is cyber warfare?

16 Mar 2020
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020
internet security

Mozilla fixes two Firefox zero-days being actively exploited

6 Apr 2020

Most Popular

application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020

Google releases location data to show effectiveness of coronavirus lockdowns

3 Apr 2020