Attacks/Breaches

6/20/2018
04:04 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

China-Based Cyber Espionage Campaign Targets Satellite, Telecom, Defense Firms

Threat group Thrip is using three computers based in China to steal data from targeted companies in Southeast Asia and the US, Symantec says.

An advanced persistent threat group that is believed to be operating out of China is conducting a wide-ranging cyber espionage campaign targeting satellite, telecommunications, and defense organizations mostly in Southeast Asia and the United States.

Security vendor Symantec, which uncovered the campaign, says what's most worrying about the activity of the so-called Thrip group is its apparent interest in the operational networks of some of its victims. That suggests the attack group's motives may extend beyond spying to actual service disruption as well, the security vendor says.

"Thrip focused on systems that had software designed for the command and control of satellites," says Jon DiMaggio, senior threat intelligence analyst at Symantec. Thrip also targeted a company in the geospatial imagery business.

"Putting the two together makes a nice target package for an attacker that is interested in the information traversing through these satellites and the technology needed to make use of that data," DiMaggio notes. While Thrip might have been primarily interested in data theft with these two targets, the group certainly had the access to disrupt services. "The fact that an attacker could obtain that level of access should be very alarming and not taken lightly."

This is not the first time that security experts have warned about the potential for attackers to exploit vulnerabilities in satellite systems and equipment to disrupt critical services.

Four years ago, a security researcher at IOActive reported finding several critical flaws in firmware of widely used land-based satellite equipment that he warned could be used to disrupt communication services to airplanes, ships, industrial facilities and elsewhere. The same researcher is now scheduled to demonstrate at Black Hat USA 2018 how attackers can actually exploit such flaws to hijack communication links to airplanes, ships, and other facilities.

DiMaggio says Symantec has been unable so far to determine the exact infection vector that Thrip has been using in its current campaign. So it is unclear if the group might have targeted or exploited any of the vulnerabilities that IOActive has previously highlighted.

Symantec has been tracking Thrip since 2013 and believes the latest campaign began sometime in 2017. The security vendor stumbled upon the activity when it observed someone using Microsoft's PsExec tool to move laterally on the network of a large telecom operator in Southeast Asia. Symantec's investigation of the activity led to the discovery of a malicious tool previously associated with Thrip called Rikamanu being used in the attack. Symantec subsequently discovered three computers based in China being used in the Thrip attacks.

Its latest targets have including communications firms, geospatial imaging companies, and organizations in the defense sectors in the US and Southeast Asia.

Initially, Thrip relied heavily on custom-developed malware tools for its campaigns. But over the years Thrip has evolved to using a mix of legitimate software and system admin tools as well, Symantec says.

In the current campaign, for instance, Thrip has been using PsExec, a Microsoft tool for executing processes on other systems, for lateral movement on victim networks. Similarly, it has been using WinSCP, an open source FTP client to exfiltrate data, and also LogMeIn to apparently try and gain remote access to systems in target networks. Another tool that Thrip has been using in its current campaign is Mimikatz — software that can be used to escalate privileges, export security certificates and recover Windows passwords.

Thrip's tactic of using legitimate tools is a living-off-the-land approach that many other threat groups are using these days to avoid detection and attribution. Legitimate tools give attackers a way to hide malicious activity behind seemingly legitimate processes, thereby giving them a way blend in on the victim network. Importantly, using such tools makes it much harder to attribute attacks and campaigns to specific groups as well.

"We are starting to see attackers use various attacks in their arsenal, and not only rely on custom developed malware," says Anthony Giandomenico, senior security researcher at Fortinet FortiGuard Labs, which also issued an advisory on the Thrip campaign this week. "Using a combination of tools that are publicly available [and] has legitimate uses, along with [custom] malware, makes for an effective attack."

But as with previous campaigns, Thrip has also been using several custom-developed malware tools, Symantec says. They include Rikamanu, an information stealer; Catchamas, which is an updated version of Rikamanu; a keylogger named Mycicil; and a Trojan named Syndicasec.

"[Thrip has] absolutely matured in sophistication over the five years we have been tracking this group," DiMaggio says. "While we did not see any disruption or sabotage take place in this campaign, it technically may have been possible based on the systems Thrip was interested in."

The takeaway for organizations is the need to be extremely careful and diligent in their security posture, Dimaggio says. With more attackers now using living off the land tools and blending in with legitimate traffic, active defense is now a necessity. "Active defense does not mean hacking back, but does mean proactively hunting for this type of activity in their environments."

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Lessons from My Strange Journey into InfoSec
Lysa Myers, Security Researcher, ESET,  7/12/2018
What's Cooking With Caleb Sima
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-9574
PUBLISHED: 2018-07-19
nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.
CVE-2017-2673
PUBLISHED: 2018-07-19
An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles.
CVE-2017-7481
PUBLISHED: 2018-07-19
Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templati...
CVE-2018-12911
PUBLISHED: 2018-07-19
WebKitGTK+ 2.20.3 has an off-by-one error, with a resultant out-of-bounds write, in the get_simple_globs functions in ThirdParty/xdgmime/src/xdgmimecache.c and ThirdParty/xdgmime/src/xdgmimeglob.c.
CVE-2018-14404
PUBLISHED: 2018-07-19
A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulne...