Chinese-linked hacking group Thrip launching malware attacks on satellite and defence companies
Thrip has been targeting the operational side of US and Southeast Asian firms since 2013
A wide-reaching malware-based espionage operation, undetected for five years, has infiltrated satellite, telecoms and defence companies across the US and Southeast Asia.
Originating from machines in China, security company Symantec has been monitoring the group Thrip since 2013, gathering information about a malware campaign with an array of highly sensitive targets that point to espionage or even disruption.
Using 'living off the land' tactics, a growing trend of attackers using tools already installed on targeted devices to blend into victims' networks and hide malicious activity among legitimate processes, Thrip launched attacks from three computers in China, according to Symantec's security response attack investigation team, in an attempt to spy on and even disrupt organisations' systems.
"The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won't notice their presence," said Symantec CEO Greg Clark. "They operate very quietly, blending into networks, and are only discovered using artificial intelligence that can identify and flag their movements."
The use of such tactics mean attacks such as those launched by Thrip are taking longer for analysts to investigate, Symantec added, crediting the company's Targeted Attack Analytics (TAA) tool, which uses artificial intelligence to comb through a data lake of telemetry information to spot patterns associated with targeted attacks, facilitating the discovery.
Analysts grew more aware of Thrip's activities in January when they came across an attacker using the Microsoft Sysinternals tool PsExec to move laterally between machines in the infiltrated network of a Southeast Asian telecoms company.
They learned the malicious actors were using PsExec to install a previously unknown malware, later identified as an updated version of Trojan.Rikamanu, which had ties with the group they had been monitoring for five years. Thrip were also using a new piece of malware identified as Infostealer.Catchamas in this attack.
"Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies," Clark continued. "We stand ready to work with appropriate authorities to address this serious threat."
Of the most concern to Symantec was Thrip's interest in the operational side of a satellite communications company, with the group seeking to infect computers running software that monitor and control satellites.
Geospatial imaging and mapping, as well as three different telecommunications firms, and a defence contractor, comprised the remaining targets, as the attackers mainly focused on devices in the operational arms of these organisations.
"From the initial alert triggered by TAA, we were able to follow a trail that eventually enabled us to see the bigger picture of a cyber espionage campaign originating from computers within China and targeting multiple organizations in the U.S. and Southeast Asia," Symantec's security response attack and investigation team wrote in its post.
"Espionage is the group's likely motive but given its interest in compromising operational systems, it could also adopt a more aggressive, disruptive stance should it choose to do so."
Symantec's disclosure of Thrip's activity follows a string of similar discoveries that feed into the evolution of threats organisations around the world now face in an increasingly complex cybersecurity landscape.
Researchers at Bitdefender, for instance, recently uncovered a sophisticated rootkit-based adware dubbed Zacinlo, capable of taking a screenshot of users' desktops, which had been covertly operating for six years. Similarly, Bitdefender discovered a remote access tool that had been running undetected since 2015, named RadRAT, which offers attackers full control over seized computers.
Perhaps more aligned with the motives of Thrip, the as-of-yet unidentified group behind Olympic Destroyer - which disrupted the 2018 Winter Olympics in South Korea - have resurrected their advanced malware, targeting biochemical threat prevention laboratories and the Russian financial sector for reasons cybersecurity firm Kaspersky suggests may range from geopolitical motives to intent to stir trouble on the international stage.