A cyber-espionage group infiltrated satellite, telecom and defense companies in the US and Southeast Asia, and evidence suggests that the campaign's objective was espionage. Identified by Symantec and announced on 19 June, the campaign originated from machines based in mainland China, according to researchers.
Thus far, the analysis suggests that the defense, telecom and satellite sectors – more specifically, the geospatial sector – have been targeted. In the geospatial sector, the group targeted computers running MapXtreme GIS (geographic information system) software, used to develop custom geospatial applications and to integrate location-based data. Not surprisingly, machines running Google Earth Server and Garmin imaging software were also targeted.
“The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence,” said Greg Clark, Symantec CEO, said in a press release. "They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies. We stand ready to work with appropriate authorities to address this serious threat."
Because attackers are moving laterally in order to infect satellite monitoring and controlling devices within a satellite communications operator, the threat has the potential to be very disruptive. In a 19 June blog post, Fortinet said this component of the threat suggests that the group likely wanted to gather intelligence, exfiltrate data and disable the satellites.
“Thrip exemplifies the growing urgency for being able to quickly and reliably detect lateral movement across the network,” said Anthony Giandomenico, senior security researcher, Fortinet FortiGuard Labs. However, defending against an advanced threat such as Thrip requires a number of critical security strategies to be in place.
Attackers rarely find what they are looking for in their first compromised device, which is why they then move laterally in search of the systems they need to accomplish their goal. Moving through the systems also allows them to "establish a stronger foothold to increase the difficulty of properly removing the malware from the network," Giandomenico said.
“Detecting an initial compromise can be very difficult, even with sophisticated security measures in place, as it usually happens very fast and often uses advanced evasion techniques to disguise the attack," Giandomenico continued. "This sort of countermeasure requires keeping up with the latest techniques adversaries are using while being proactive in finding and addressing existing network blind spots and control gaps.”