A hacking group known as Thrip has launched cyberattacks on two U.S. satellite companies, a private company that sells geospatial imaging technology, and a defense contractor from a location in China. Three Southeast Asian telecom operators were also attacked.
The attacks were publicly reported Tuesday by researchers at Symantec, who discovered the attacks late last year and reported them to the U.S. government earlier this year.
The researchers first spotted Thrip in 2013, but the group went dormant in 2015 following an agreement between Chinese President Xi Jinping and U.S. President Barack Obama on cyberattacks against economic targets. According to CyberScoop, the agreement did not cover conventional espionage targets like defense contractors and federal agencies.
In the new attacks that started late last year when talk of a U.S.-China trade war heated up, Thrip combines readily available tools that are used for legitimate purposes and can be used by malicious actors to insert malware into their targeted systems. Using these tools and adding custom-built attacking software allowed Thrip to steal credentials, move easily through a company’s computer network and insert more remote access backdoors to give themselves wider access to targeted systems.
Symantec senior threat intelligence analyst Jon DiMaggio told CyberScoop:
We could see based on where they were spending their time and effort that they were really trying to go after this satellite company. They were enumerating directories, manually looking for very specific things like this one software program and the command and control for the satellites … it was much more careful than scanning. They were going after total access, going after the backend databases of these systems as well. Most of the computers at the company didn’t touch the satellites, so they were quite focused.
The researchers also cited their most worrying discovery:
… Thrip had targeted a satellite communications operator. The attack group seemed to be particularly interested in the operational side of the company, looking for and infecting computers running software that monitors and controls satellites. This suggests to us that Thrip’s motives go beyond spying and may also include disruption.
The hacking group’s name comes from a variety of garden pests called thrips (both the single and plural form) that damage plants by sucking out their juices. There are more than 6,000 species of the worthless insects.