Attacks/Breaches

6/20/2018
04:04 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

China-Based Cyber Espionage Campaign Targets Satellite, Telecom, Defense Firms

Threat group Thrip is using three computers based in China to steal data from targeted companies in Southeast Asia and the US, Symantec says.

An advanced persistent threat group that is believed to be operating out of China is conducting a wide-ranging cyber espionage campaign targeting satellite, telecommunications, and defense organizations mostly in Southeast Asia and the United States.

Security vendor Symantec, which uncovered the campaign, says what's most worrying about the activity of the so-called Thrip group is its apparent interest in the operational networks of some of its victims. That suggests the attack group's motives may extend beyond spying to actual service disruption as well, the security vendor says.

"Thrip focused on systems that had software designed for the command and control of satellites," says Jon DiMaggio, senior threat intelligence analyst at Symantec. Thrip also targeted a company in the geospatial imagery business.

"Putting the two together makes a nice target package for an attacker that is interested in the information traversing through these satellites and the technology needed to make use of that data," DiMaggio notes. While Thrip might have been primarily interested in data theft with these two targets, the group certainly had the access to disrupt services. "The fact that an attacker could obtain that level of access should be very alarming and not taken lightly."

This is not the first time that security experts have warned about the potential for attackers to exploit vulnerabilities in satellite systems and equipment to disrupt critical services.

Four years ago, a security researcher at IOActive reported finding several critical flaws in firmware of widely used land-based satellite equipment that he warned could be used to disrupt communication services to airplanes, ships, industrial facilities and elsewhere. The same researcher is now scheduled to demonstrate at Black Hat USA 2018 how attackers can actually exploit such flaws to hijack communication links to airplanes, ships, and other facilities.

DiMaggio says Symantec has been unable so far to determine the exact infection vector that Thrip has been using in its current campaign. So it is unclear if the group might have targeted or exploited any of the vulnerabilities that IOActive has previously highlighted.

Symantec has been tracking Thrip since 2013 and believes the latest campaign began sometime in 2017. The security vendor stumbled upon the activity when it observed someone using Microsoft's PsExec tool to move laterally on the network of a large telecom operator in Southeast Asia. Symantec's investigation of the activity led to the discovery of a malicious tool previously associated with Thrip called Rikamanu being used in the attack. Symantec subsequently discovered three computers based in China being used in the Thrip attacks.

Its latest targets have including communications firms, geospatial imaging companies, and organizations in the defense sectors in the US and Southeast Asia.

Initially, Thrip relied heavily on custom-developed malware tools for its campaigns. But over the years Thrip has evolved to using a mix of legitimate software and system admin tools as well, Symantec says.

In the current campaign, for instance, Thrip has been using PsExec, a Microsoft tool for executing processes on other systems, for lateral movement on victim networks. Similarly, it has been using WinSCP, an open source FTP client to exfiltrate data, and also LogMeIn to apparently try and gain remote access to systems in target networks. Another tool that Thrip has been using in its current campaign is Mimikatz — software that can be used to escalate privileges, export security certificates and recover Windows passwords.

Thrip's tactic of using legitimate tools is a living-off-the-land approach that many other threat groups are using these days to avoid detection and attribution. Legitimate tools give attackers a way to hide malicious activity behind seemingly legitimate processes, thereby giving them a way blend in on the victim network. Importantly, using such tools makes it much harder to attribute attacks and campaigns to specific groups as well.

"We are starting to see attackers use various attacks in their arsenal, and not only rely on custom developed malware," says Anthony Giandomenico, senior security researcher at Fortinet FortiGuard Labs, which also issued an advisory on the Thrip campaign this week. "Using a combination of tools that are publicly available [and] has legitimate uses, along with [custom] malware, makes for an effective attack."

But as with previous campaigns, Thrip has also been using several custom-developed malware tools, Symantec says. They include Rikamanu, an information stealer; Catchamas, which is an updated version of Rikamanu; a keylogger named Mycicil; and a Trojan named Syndicasec.

"[Thrip has] absolutely matured in sophistication over the five years we have been tracking this group," DiMaggio says. "While we did not see any disruption or sabotage take place in this campaign, it technically may have been possible based on the systems Thrip was interested in."

The takeaway for organizations is the need to be extremely careful and diligent in their security posture, Dimaggio says. With more attackers now using living off the land tools and blending in with legitimate traffic, active defense is now a necessity. "Active defense does not mean hacking back, but does mean proactively hunting for this type of activity in their environments."

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.