Thrip Group's Latest Attacks Trace to China, Maybe Beyond
Symantec says it has uncovered a cyber espionage campaign that has focused on infiltrating three telecommunications operators in Southeast Asia, as well as a defense contractor and a satellite communications operator. Some targets are based in the United States.
The security company, based in Mountain View, California, warns that the hacking group responsible for the attacks - it calls the group Thrip - appears to carefully target victims and may be putting in place beachheads designed to facilitate more harmful attacks.
"Espionage is the group's likely motive, but given its interest in compromising operational systems, it could also adopt a more aggressive, disruptive stance should it choose to do so," researchers at Symantec's security response attack investigation team say in a blog post.
Symantec says the intrusions could have been used to spy on satellite communications or even to reposition satellites and disrupt their operations.
"Disruption to satellites could leave civilian as well as military installations subject to huge [real-world] disruptions," Vikram Thakur, technical director at Symantec, tells Reuters. "We are extremely dependent on their functionality."
Symantec's alert about this hacking group follows the U.S. and U.K. governments in April issuing an unprecedented warning that Russia-linked hackers have waged an extensive campaign to infiltrate routers, switches, firewalls and network intrusion detection systems. As with Thrip, the infections appear to give attackers footholds in vulnerable but critical systems that could be used for spying, stealing intellectual property and launching physically disruptive attacks.
Latest Attack Source: China, Maybe
There has been no suggestion that Thrip is linked to those allegedly Russia-backed attacks.
As is customary for many information security firms, Symantec declined to speculate on who may be responsible for Thrip. It also said it's not clear how Thrip is infecting targeted systems.
Symantec says it's been tracking Thrip since 2013 and already shared information on the latest attacks with the FBI and U.S. Department of Homeland Security as well as government defense agencies in southeast Asia and other security firms. Symantec says Thrip's attacks appeared to go dark in 2016.
The latest Thrip attacks trace back to three computers in China, Syamntec says. In other words, the Chinese government may, in theory, have ordered the attacks. But experts continue to caution that the origin of attacks isn't a reliable indicator when it comes to attribution because hackers often attempt to obscure their true location or even to intentionally cast the blame on others.
Attackers Tap Legitimate Tools
Thrip triggered Symantec's attention again in January. The company noticed it was using a legitimate Microsoft management tool called PsExec to move to other computers within a telecommunications operator's network in Southeast Asia. Previously, Thrip had used customized malware, it says.
"Espionage is the group's likely motive, but given its interest in compromising operational systems, it could also adopt a more aggressive, disruptive stance should it choose to do so."
PsExec is a replacement for telnet that allows administrators to remotely connect to other systems. Attackers have increasingly sought to use legitimate tools on an already compromised system in an effort to go unnoticed, a technique often referred to as "living off the land."
"By using such features and tools, attackers are hoping to blend in on the victim's network and hide their activity in a sea of legitimate processes," Symantec says. "Even if malicious activity involving these tools is detected, it can make it harder to attribute attacks. If everyone is using similar tools, it's more difficult to distinguish one group from another."
Symantec says it used an analytics service it developed called Targeted Attack Analytics to help spot Thrip's latest activity. TAA leverages machine learning and artificial intelligence to spot patterns within telemetry data that indicate malicious behavior using legitimate tools.
"TAA not only flagged this malicious use of PsExec, it also told us what the attackers were using it for," Symantec says. "They were attempting to remotely install a previously unknown piece of malware on computers within the victim's network."
The malware, called Infostealer.Catchamas, was a variant of another type of malware, called Trojan.Rikamanu, which had been previously associated with Thrip, Symantec says.
Other legitimate tools that Thrip leverages include Powershell, WinSCP, LogMeIn and Mimikatz, a penetration testing tool that can be used to recover passwords from Windows systems.
Thrip is far from the first hacking group to make use of open source components to help infect systems and spread.
Seeking Satellite Control
Symantec found that Thrip showed particular interest in one satellite operator's computers that are used to monitor and control satellites. "This suggests to us that Thrip's motives go beyond spying and may also include disruption," it says.
Thrip also focused on those types of systems for another "organization involved in geospatial imaging and mapping," which the security firm declined to name.
"[The hacking group] targeted computers running MapXtreme GIS (geographic information system) software, which is used for tasks such as developing custom geospatial applications or integrating location-based data into other applications," Symantec says. "It also targeted machines running Google Earth Server and Garmin imaging software."