A Chinese-linked hacking group began targeting at least two different U.S.-based satellite companies, a Defense Department contractor and another private firm that sells geospatial imaging technology in late 2017, according to new research by Symantec.
The focused hacking campaign appears to have been originally launched around the same time as talk about a U.S.-China trade war — which is now in full swing — were heating up late last year. Symantec discovered and notified the U.S. government about the malicious cyber activity roughly four months ago, according to Jon DiMaggio, a senior threat intelligence analysts with Symantec, who led the investigation.
Tuesday’s findings show that the attackers, dubbed “Thrip” by analysts, have reemerged after they seemingly went underground for more than two years. The group stopped operations after a historic political agreement in 2015 between then U.S. President Barack Obama and Chinese President Xi Jinping. That agreement sought to deter cyber-enabled economic espionage, which involves stealing intellectual property and other business secrets. Conventional espionage targets, like defense contractors and federal agencies, are considered fair game under the arrangement.
Thrip’s latest campaign relies on a toolbox of both open-source and sophisticated custom-built hacking capabilities, including three different Trojans, known as “Infostealer.Catchamas,” “Trojan.Rikamanu” and “Trojan.Mycicil.” These tools allow the hackers to steal user credentials, laterally traverse across compromised networks, and deploy additional remote access backdoors. In Thrip’s attempts to hack the two U.S. satellite companies, the group used all three of the aforementioned Trojans.
In the past, most cyber espionage groups would use their own custom tools which meant that it was easier to notice certain anomalies in a network, said DiMaggio. “Because Thrip and others are increasingly leveraging things like PsExec, which could be legitimately used by an administrator, it can make it more difficult to tell what’s malicious.”
While the group did gain access to some of the company’s networks, Thrip’s tools were blocked by Symantec’s software. The cybersecurity firm did not disclose what particular companies were impacted.
Symantec’s decision to quickly tip off the government was driven by the fact that the Chinese hackers seemed intent on specifically gaining access to operational technology (OT) that’s used to physically control satellite systems in space.
“We could see based on where they were spending their time and effort that they were really trying to go after this satellite company,” DiMaggio told CyberScoop. “They were enumerating directories, manually looking for very specific things like this one software program and the command and control for the satellites … it was much more careful than scanning. They were going after total access, going after the backend databases of these systems as well. Most of the computers at the company didn’t touch the satellites, so they were quite focused.”
While Symantec has been tracking Thrip since 2013, the latest activity is the most aggressive they’ve ever seen the group.