Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/20/2018
04:04 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

China-Based Cyber Espionage Campaign Targets Satellite, Telecom, Defense Firms

Threat group Thrip is using three computers based in China to steal data from targeted companies in Southeast Asia and the US, Symantec says.

An advanced persistent threat group that is believed to be operating out of China is conducting a wide-ranging cyber espionage campaign targeting satellite, telecommunications, and defense organizations mostly in Southeast Asia and the United States.

Security vendor Symantec, which uncovered the campaign, says what's most worrying about the activity of the so-called Thrip group is its apparent interest in the operational networks of some of its victims. That suggests the attack group's motives may extend beyond spying to actual service disruption as well, the security vendor says.

"Thrip focused on systems that had software designed for the command and control of satellites," says Jon DiMaggio, senior threat intelligence analyst at Symantec. Thrip also targeted a company in the geospatial imagery business.

"Putting the two together makes a nice target package for an attacker that is interested in the information traversing through these satellites and the technology needed to make use of that data," DiMaggio notes. While Thrip might have been primarily interested in data theft with these two targets, the group certainly had the access to disrupt services. "The fact that an attacker could obtain that level of access should be very alarming and not taken lightly."

This is not the first time that security experts have warned about the potential for attackers to exploit vulnerabilities in satellite systems and equipment to disrupt critical services.

Four years ago, a security researcher at IOActive reported finding several critical flaws in firmware of widely used land-based satellite equipment that he warned could be used to disrupt communication services to airplanes, ships, industrial facilities and elsewhere. The same researcher is now scheduled to demonstrate at Black Hat USA 2018 how attackers can actually exploit such flaws to hijack communication links to airplanes, ships, and other facilities.

DiMaggio says Symantec has been unable so far to determine the exact infection vector that Thrip has been using in its current campaign. So it is unclear if the group might have targeted or exploited any of the vulnerabilities that IOActive has previously highlighted.

Symantec has been tracking Thrip since 2013 and believes the latest campaign began sometime in 2017. The security vendor stumbled upon the activity when it observed someone using Microsoft's PsExec tool to move laterally on the network of a large telecom operator in Southeast Asia. Symantec's investigation of the activity led to the discovery of a malicious tool previously associated with Thrip called Rikamanu being used in the attack. Symantec subsequently discovered three computers based in China being used in the Thrip attacks.

Its latest targets have including communications firms, geospatial imaging companies, and organizations in the defense sectors in the US and Southeast Asia.

Initially, Thrip relied heavily on custom-developed malware tools for its campaigns. But over the years Thrip has evolved to using a mix of legitimate software and system admin tools as well, Symantec says.

In the current campaign, for instance, Thrip has been using PsExec, a Microsoft tool for executing processes on other systems, for lateral movement on victim networks. Similarly, it has been using WinSCP, an open source FTP client to exfiltrate data, and also LogMeIn to apparently try and gain remote access to systems in target networks. Another tool that Thrip has been using in its current campaign is Mimikatz — software that can be used to escalate privileges, export security certificates and recover Windows passwords.

Thrip's tactic of using legitimate tools is a living-off-the-land approach that many other threat groups are using these days to avoid detection and attribution. Legitimate tools give attackers a way to hide malicious activity behind seemingly legitimate processes, thereby giving them a way blend in on the victim network. Importantly, using such tools makes it much harder to attribute attacks and campaigns to specific groups as well.

"We are starting to see attackers use various attacks in their arsenal, and not only rely on custom developed malware," says Anthony Giandomenico, senior security researcher at Fortinet FortiGuard Labs, which also issued an advisory on the Thrip campaign this week. "Using a combination of tools that are publicly available [and] has legitimate uses, along with [custom] malware, makes for an effective attack."

But as with previous campaigns, Thrip has also been using several custom-developed malware tools, Symantec says. They include Rikamanu, an information stealer; Catchamas, which is an updated version of Rikamanu; a keylogger named Mycicil; and a Trojan named Syndicasec.

"[Thrip has] absolutely matured in sophistication over the five years we have been tracking this group," DiMaggio says. "While we did not see any disruption or sabotage take place in this campaign, it technically may have been possible based on the systems Thrip was interested in."

The takeaway for organizations is the need to be extremely careful and diligent in their security posture, Dimaggio says. With more attackers now using living off the land tools and blending in with legitimate traffic, active defense is now a necessity. "Active defense does not mean hacking back, but does mean proactively hunting for this type of activity in their environments."

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...