Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/20/2018
04:04 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

China-Based Cyber Espionage Campaign Targets Satellite, Telecom, Defense Firms

Threat group Thrip is using three computers based in China to steal data from targeted companies in Southeast Asia and the US, Symantec says.

An advanced persistent threat group that is believed to be operating out of China is conducting a wide-ranging cyber espionage campaign targeting satellite, telecommunications, and defense organizations mostly in Southeast Asia and the United States.

Security vendor Symantec, which uncovered the campaign, says what's most worrying about the activity of the so-called Thrip group is its apparent interest in the operational networks of some of its victims. That suggests the attack group's motives may extend beyond spying to actual service disruption as well, the security vendor says.

"Thrip focused on systems that had software designed for the command and control of satellites," says Jon DiMaggio, senior threat intelligence analyst at Symantec. Thrip also targeted a company in the geospatial imagery business.

"Putting the two together makes a nice target package for an attacker that is interested in the information traversing through these satellites and the technology needed to make use of that data," DiMaggio notes. While Thrip might have been primarily interested in data theft with these two targets, the group certainly had the access to disrupt services. "The fact that an attacker could obtain that level of access should be very alarming and not taken lightly."

This is not the first time that security experts have warned about the potential for attackers to exploit vulnerabilities in satellite systems and equipment to disrupt critical services.

Four years ago, a security researcher at IOActive reported finding several critical flaws in firmware of widely used land-based satellite equipment that he warned could be used to disrupt communication services to airplanes, ships, industrial facilities and elsewhere. The same researcher is now scheduled to demonstrate at Black Hat USA 2018 how attackers can actually exploit such flaws to hijack communication links to airplanes, ships, and other facilities.

DiMaggio says Symantec has been unable so far to determine the exact infection vector that Thrip has been using in its current campaign. So it is unclear if the group might have targeted or exploited any of the vulnerabilities that IOActive has previously highlighted.

Symantec has been tracking Thrip since 2013 and believes the latest campaign began sometime in 2017. The security vendor stumbled upon the activity when it observed someone using Microsoft's PsExec tool to move laterally on the network of a large telecom operator in Southeast Asia. Symantec's investigation of the activity led to the discovery of a malicious tool previously associated with Thrip called Rikamanu being used in the attack. Symantec subsequently discovered three computers based in China being used in the Thrip attacks.

Its latest targets have including communications firms, geospatial imaging companies, and organizations in the defense sectors in the US and Southeast Asia.

Initially, Thrip relied heavily on custom-developed malware tools for its campaigns. But over the years Thrip has evolved to using a mix of legitimate software and system admin tools as well, Symantec says.

In the current campaign, for instance, Thrip has been using PsExec, a Microsoft tool for executing processes on other systems, for lateral movement on victim networks. Similarly, it has been using WinSCP, an open source FTP client to exfiltrate data, and also LogMeIn to apparently try and gain remote access to systems in target networks. Another tool that Thrip has been using in its current campaign is Mimikatz — software that can be used to escalate privileges, export security certificates and recover Windows passwords.

Thrip's tactic of using legitimate tools is a living-off-the-land approach that many other threat groups are using these days to avoid detection and attribution. Legitimate tools give attackers a way to hide malicious activity behind seemingly legitimate processes, thereby giving them a way blend in on the victim network. Importantly, using such tools makes it much harder to attribute attacks and campaigns to specific groups as well.

"We are starting to see attackers use various attacks in their arsenal, and not only rely on custom developed malware," says Anthony Giandomenico, senior security researcher at Fortinet FortiGuard Labs, which also issued an advisory on the Thrip campaign this week. "Using a combination of tools that are publicly available [and] has legitimate uses, along with [custom] malware, makes for an effective attack."

But as with previous campaigns, Thrip has also been using several custom-developed malware tools, Symantec says. They include Rikamanu, an information stealer; Catchamas, which is an updated version of Rikamanu; a keylogger named Mycicil; and a Trojan named Syndicasec.

"[Thrip has] absolutely matured in sophistication over the five years we have been tracking this group," DiMaggio says. "While we did not see any disruption or sabotage take place in this campaign, it technically may have been possible based on the systems Thrip was interested in."

The takeaway for organizations is the need to be extremely careful and diligent in their security posture, Dimaggio says. With more attackers now using living off the land tools and blending in with legitimate traffic, active defense is now a necessity. "Active defense does not mean hacking back, but does mean proactively hunting for this type of activity in their environments."

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25514
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.
CVE-2020-25515
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http://<site>/lms/index.php?page=books.
CVE-2020-14022
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Star...
CVE-2020-14023
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS.
CVE-2020-14024
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuratio...