China-Linked ‘Thrip’ Spies Target Satellite, Defense Companies

A China-linked cyber espionage group has breached the systems of satellite operators, telecommunications companies and defense contractors in the United States and Southeast Asia, Symantec reported on Tuesday.

Symantec has been tracking the threat actor, which it has named “Thrip,” since 2013. However, the security firm says the group’s activities have not been made public until now.

Thrip has used a combination of custom malware and legitimate tools in its attacks. One victim was a satellite communications operator, where the hackers targeted devices involved in operations, as well as systems running software designed for monitoring and controlling satellites.

“This suggests to us that Thrip’s motives go beyond spying and may also include disruption,” Symantec researchers said.

Thrip has also targeted a company specializing in geospatial imaging and mapping. The attackers attempted to gain access to machines hosting MapXtreme GIS, Google Earth Server and Garmin imaging software.

The list of victims identified by Symantec also includes three telecoms firms in Southeast Asia. The companies themselves appear to have been Thrip’s targets rather than their customers. Another victim is a defense contractor, but no details have been shared by the security firm on this attack.

Symantec has been monitoring Thrip since 2013, when it spotted a campaign conducted from systems located in China. The group initially relied mostly on custom malware, but more recent campaigns, which started last year, also involved legitimate tools.

The pieces of malware used by the group include Trojan.Rikamanu, a trojan designed for stealing credentials and other information from compromised systems, and Infostealer.Catchamas, an evolution of Rikamanu that includes improved data theft and anti-detection capabilities.

Thrip has also been spotted using Trojan.Mycicil, a keylogger offered on Chinese underground marketplaces but which has not been seen often, and Backdoor.Spedear and Trojan.Syndicasec, both of which have been observed in the group’s older campaigns.

As for the legitimate tools used by the cyberspies, the list includes the Windows SysInternals utility PSExec, PowerShell, the post-exploitation tool Mimikatz, the open source FTP client WinSCP, and the LogMeIn remote access software.

“This is likely espionage,” said Greg Clark, CEO of Symantec. “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence. They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies. We stand ready to work with appropriate authorities to address this serious threat.”

Related: Chinese Cyberspies Target National Data Center in Asia

Related: China-Linked Spies Used New Malware in U.K. Government Attack

Related: Researchers Link Several State-Sponsored Chinese Spy Groups