A Chinese cyber-hacking group is thought to have hacked a number of companies in the satellite, telecom and defence industries in the US and Southeast Asia, it has emerged.
According to security researchers at Symantec, the campaign originated from machines based in mainland China.
Dubbed Thrip by researchers, the group has been operating since 2013, making use of operating system features or legitimate network administration tools to compromise victims' networks.
“The purpose of living off the land is twofold. By using such features and tools, attackers are hoping to blend in on the victim's network and hide their activity in a sea of legitimate processes. Secondly, even if malicious activity involving these tools is detected, it can make it harder to attribute attacks,” said researchers in a blog post.
There are four key targets of Thrip. First, a satellite communications operator, suggesting that motives go beyond spying and may also include disruption. Second, the hackers are going after geospatial imaging and mapping, mainly in the operational side of the company, targetting computers running MapXtreme GIS (Geographic Information System) software which is used for integrating location-based data into other applications. It also targeted machines running Google Earth Server and Garmin imaging software.
The hackers have also targeted three different telecoms operators, all based in Southeast Asia – in all cases, based on the nature of the computers infected by Thrip, it appeared that the telecoms companies themselves and not their customers were the targets of these attacks. A fourth target of interest was a defence contractor.
Researchers said the hackers used legitimate tools such as PsExec: Microsoft Sysinternals tool for executing processes on other systems. The tool was primarily used by the attackers to move laterally on the victim's network.
Hackers also used Powershell to run commands to download payloads, traverse compromised networks, and carry out reconnaissance. They also made use of Mimikatz, a freely available tool capable of changing privileges, exporting security certificates, and recovering Windows passwords in plaintext; WinSCP, an open source FTP client used to exfiltrate data from targeted organisations; and LogMeIn. With the last tool, Symantec said it was unclear whether the attackers gained unauthorised access to the victim's LogMeIn accounts or whether they created their own.
These legitimate tools were used to install custom malware, such as Trojan.Rikamanu, Infostealer.Catchamas, Trojan.Mycicil, Backdoor.Spedear, and Trojan.Syndicasec.
Researchers said it detected the attacks using its Targeted Attack Analytics (TAA) tool that uses artificial intelligence and machine learning to spot patterns associated with targeted attacks. This AI tool detected unusual activity in January this year.
“This is likely espionage,” said Greg Clark, Symantec CEO. “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organisations won't notice their presence. They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defence companies.”
Joseph Carson, chief security scientist at Thycotic, told SC Media UK that it has been common for many years that cyber-criminals are using the victims own administrative tools to move around the network and blend into the normal network traffic.
“Most cyber-criminals do not want to be found or detected, and it is much easier to stay hidden using the victims' own solutions rather than introducing anything new that could trigger alarms,” he said.
“The best way to defend against such attacks is to ensure that your own solutions for administrating the network and configuring privileges are protected and secured by using privileged access management and multi-factor authentication. This makes it more difficult and costly for the attackers to compromise easily.”
Sam Haria, global SOC manager at invinsec, told SC Media UK that it is very hard for an organisation to prevent these types of attacks as the malware in question is highly evolved and as the hacking group use more AI based tools.
“One suggestion is for organisations without a specific need to operate with Chinese IP addresses, consider blacklisting Chinese IP addresses. If an organisation feels at risk, then bringing in a reputable 3rd party company to conduct a penetration test will also highlight areas within your security fence that are vulnerable, and this should be seen as an on-going annual or bi-annual activity and not just a one-off exercise,” he said.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout