Threat Intelligence

Symantec pegs Chinese group Thrip behind recent cyberespionage attacks

Symantec researchers spotted three Chinese computers as being behind a string of cyberespionage attacks targeting private and defense-related targets in the United States and Southeast Asia, including an attempt to enter a computer system that handles satellite operations.

The company was tipped off to the intrusions in January 2018 when it was alerted to a telecom in Southeast Asia being hit with the attacker using PsExec, a Microsoft Sysinternals tool for executing processes on other systems, Symantec reported. Once this was flagged Symantec found it was being used to spread an updated version of Trojan.Rikamanu, a malware associated with Thrip, a group that has been on Symantec's radar for five years.

Once Symantec knew what to look for the company was able to discover Thrip was attacking many other organizations as the core element to a cyberespionage campaign aimed at the communications, geospatial imaging, and defense sectors.

“Perhaps the most worrying discovery we made was that Thrip had targeted a satellite communications operator. The attack group seemed to be particularly interested in the operational side of the company, looking for and infecting computers running software that monitors and controls satellites.This suggests to us that Thrip's motives go beyond spying and may also include disruption,” wrote Security Response Attack Investigation Team.

One of the threat actors favorite targets were Southeast Asia-based telecoms with three being singled out for attention with Thrip was able to infiltrate the companies and not their customers.

The final target was an unnamed defense contractor.

Since Symantec began tracking Thrip, the group has altered its tactics moving from only using proprietary malware to adding in some living off the land tools. In addition to PsExec, these include PowerShell, Mimikatz, WinSCP and LogMeln. Most of these have legitimate uses so it makes it even more difficult for an analyst to pick out when something is being used maliciously, Symantec said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.