Chinese espionage group targeting telcos, defence companies

A never-before-exposed cyber espionage group is engaged in a highly targeted espionage operation against satellite, telecommunications and defence companies across Southeast Asia and the US, Symantec has revealed.

The group, called Thrip, is based out of mainland China. Thrip’s motive is likely espionage, and it has been attacking targets using powerful custom malware.

Symantec observed the group attacking a satellite operator and probing the operational side of the company, suggesting that Thrip’s motives may go beyond espionage and may also include disruption.

The campaign has also targeted three different telecom operators based in Southeast Asia, a defence contractor and an organisation involved in geospatial imaging and mapping.

Symantec said it has been monitoring Thrip since 2013. The most recent wave of attacks from the group, which commenced in 2017, uses a mixture of custom malware and ‘living off the land’ tools, which involve using legitimate operating system features or network administration tools to attempt to blend into a victim’s network and evade detection.

The group is using Microsoft Sysinternals tool PsExec to move laterally on a victim’s network, Powershell to download payloads and traverse compromised networks, open source FTP client WinSCP to exfiltrate data from targeted organisations, and cloud-based remote access software LogMeIn.

Custom malware used by the group is meanwhile designed to steal information from infected computers, further evade detection, log keystrokes and insert backdoors into a victim’s network.

Image credit: ©stock.adobe.com/au/robsonphoto

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.