China-Based Cyber Espionage Campaign Targets Satellite, Telecom, Defense Firms

An advanced persistent threat group that is believed to be operating out of China is conducting a wide-ranging cyber espionage campaign targeting satellite, telecommunications, and defense organizations mostly in Southeast Asia and the United States.

Security vendor Symantec, which uncovered the campaign, says what's most worrying about the activity of the so-called Thrip group is its apparent interest in the operational networks of some of its victims. That suggests the attack group's motives may extend beyond spying to actual service disruption as well, the security vendor says.

"Thrip focused on systems that had software designed for the command and control of satellites," says Jon DiMaggio, senior threat intelligence analyst at Symantec. Thrip also targeted a company in the geospatial imagery business.

"Putting the two together makes a nice target package for an attacker that is interested in the information traversing through these satellites and the technology needed to make use of that data," DiMaggio notes. While Thrip might have been primarily interested in data theft with these two targets, the group certainly had the access to disrupt services. "The fact that an attacker could obtain that level of access should be very alarming and not taken lightly."

This is not the first time that security experts have warned about the potential for attackers to exploit vulnerabilities in satellite systems and equipment to disrupt critical services.

Four years ago, a security researcher at IOActive reported finding several critical flaws in firmware of widely used land-based satellite equipment that he warned could be used to disrupt communication services to airplanes, ships, industrial facilities and elsewhere. The same researcher is now scheduled to demonstrate at Black Hat USA 2018 how attackers can actually exploit such flaws to hijack communication links to airplanes, ships, and other facilities.

DiMaggio says Symantec has been unable so far to determine the exact infection vector that Thrip has been using in its current campaign. So it is unclear if the group might have targeted or exploited any of the vulnerabilities that IOActive has previously highlighted.

Symantec has been tracking Thrip since 2013 and believes the latest campaign began sometime in 2017. The security vendor stumbled upon the activity when it observed someone using Microsoft's PsExec tool to move laterally on the network of a large telecom operator in Southeast Asia. Symantec's investigation of the activity led to the discovery of a malicious tool previously associated with Thrip called Rikamanu being used in the attack. Symantec subsequently discovered three computers based in China being used in the Thrip attacks.

Its latest targets have including communications firms, geospatial imaging companies, and organizations in the defense sectors in the US and Southeast Asia.

Initially, Thrip relied heavily on custom-developed malware tools for its campaigns. But over the years Thrip has evolved to using a mix of legitimate software and system admin tools as well, Symantec says.

In the current campaign, for instance, Thrip has been using PsExec, a Microsoft tool for executing processes on other systems, for lateral movement on victim networks. Similarly, it has been using WinSCP, an open source FTP client to exfiltrate data, and also LogMeIn to apparently try and gain remote access to systems in target networks. Another tool that Thrip has been using in its current campaign is Mimikatz — software that can be used to escalate privileges, export security certificates and recover Windows passwords.

Thrip's tactic of using legitimate tools is a living-off-the-land approach that many other threat groups are using these days to avoid detection and attribution. Legitimate tools give attackers a way to hide malicious activity behind seemingly legitimate processes, thereby giving them a way blend in on the victim network. Importantly, using such tools makes it much harder to attribute attacks and campaigns to specific groups as well.

"We are starting to see attackers use various attacks in their arsenal, and not only rely on custom developed malware," says Anthony Giandomenico, senior security researcher at Fortinet FortiGuard Labs, which also issued an advisory on the Thrip campaign this week. "Using a combination of tools that are publicly available [and] has legitimate uses, along with [custom] malware, makes for an effective attack."

But as with previous campaigns, Thrip has also been using several custom-developed malware tools, Symantec says. They include Rikamanu, an information stealer; Catchamas, which is an updated version of Rikamanu; a keylogger named Mycicil; and a Trojan named Syndicasec.

"[Thrip has] absolutely matured in sophistication over the five years we have been tracking this group," DiMaggio says. "While we did not see any disruption or sabotage take place in this campaign, it technically may have been possible based on the systems Thrip was interested in."

The takeaway for organizations is the need to be extremely careful and diligent in their security posture, Dimaggio says. With more attackers now using living off the land tools and blending in with legitimate traffic, active defense is now a necessity. "Active defense does not mean hacking back, but does mean proactively hunting for this type of activity in their environments."

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.