A China-linked cyberespionage group called Thrip has been found targeting satellite operators, defense contractors, geospatial imaging systems and telecommunications companies in the US and SouthEast Asia. Security researchers at Symantec said the group has been active since at least 2013 and has evolved over the year.
Thrip has been using “living off the land” techniques - using legitimate, free and available tools in their attacks - to help attackers evade detection, blend into victims’ networks, and make attribution much harder for security experts.
Symantec researchers said they have identified three computers in China used to launch the recent attacks.
Thrip’s carefully selected targets
Thrip was found targeting a satellite communications operator and a satellite imaging and mapping entity. In the case of both the targets, the hacker group was more interested in the internal operational aspects of the targets.
In case of the satellite communications operator, the hackers were found looking into and infecting computers that ran software that monitored and controlled satellites. When targeting the satellite imaging and mapping firm, the hackers targeted computers are used to develop custom geospatial apps. Thrip also targeted computers running Google Earth Server and Garmin imaging software.
Symantec researchers suggest that Thrip’s activities indicate that the group’s motive goes “beyond spying and may also include disruption”.
Thrip also targeted three Southeast Asia-based telecom operators wherein the nature of computers infected seemed to suggest the hackers were interested in the company itself, rather than its customers.
Although the group initially relied heavily on custom malware, the group has since shifted tactics in 2017 to deploy a mix of both custom malware and living off the land tools. Some of their customized malware used against specific targets include:
- Trojan.Rikamanu - A data-stealing malware that can steal computer information and credentials.
- Infostealer.Catchamas - A malware that is based on Rikamanu and has other features designed to help it avoid detection.
- Trojan.Mycicil - A keylogger created by underground Chinese hackers that is publicly available but used rarely.
- Backdoor.Spedear - A backdoor that Thrip has previously used.
- Trojan.Syndicasec - A custom malware used by Thrip in previous campaigns.
“We’ve been monitoring Thrip since 2013 when we uncovered a spying campaign being orchestrated from systems based in China. Since our initial discovery, the group has changed its tactics and broadened the range of tools it used,” Symantec researchers wrote in a blog. “Espionage is the group’s likely motive but given its interest in compromising operational systems, it could also adopt a more aggressive, disruptive stance should it choose to do so.”