An advanced hacking campaign originating in China has spent the past year infiltrating satellite operators, defense contractors, and telecoms companies in the US and Southeast Asia, researchers from Symantec said.

The attackers specifically looked for and infected computers one target used to monitor and control satellites, Symantec researchers reported in a blog post published Tuesday. A hack on a second target in the geospatial industry zeroed in on the software-development tools it used. The focus on the operational sides of the unnamed companies suggests that the hackers sought the ability not just to intercept but possibly to also alter communications traffic sent by businesses and consumers.

View more

“Espionage is the group’s likely motive, but given its interest in compromising operational systems, it could also adopt a more aggressive, disruptive stance should it choose to do so,” Symantec researchers wrote.

Living off the land

Symantec has been following the Chinese hacking group since 2013 when it was first spotted orchestrating an espionage campaign. Thrip, as Symantec dubbed the group, mainly used custom-developed malware tools in those days. In the recent campaign, Thrip has adopted a strategy security researchers call “living off the land,” which relies on legitimate tools and operating-system features to take control of targets’ networks. By using the same tools already present in a targeted network, attackers’ malicious activities blend in with the target’s legitimate processes.

Key tools used by Thrip include PsExec, the Microsoft Sysinternals tool for controlling network-connected computers; PowerShell, a Microsoft scripting tool; WinSCP, an open source FTP client; and LogMeIn, which is remote-access software. The group also used the freely available Mimikatz hacking tool. Once the group found specific computers of interest, it would deploy custom malware that included Trojan.Rikamanu, which is designed to steal access credentials and other sensitive data; Infostealer.Catchamas, a complement to Trojan.Rikamanu that contains additional features for stealth and data capture; and Trojan.Mycicil, a keylogger created by underground hackers in China.


Others targeted in the same recent Thrip campaign include a defense contractor and three telecoms operators in Southeast Asia. The attack on the geospatial imaging organization targeted computers running the MapXtreme geographic information system software, which is used to develop custom geospatial applications and integrate location-based data into other apps. The attack also targeted machines running Google Earth Server and Garmin imaging software.

Symantec said the first sign of the campaign came in January when one of its products detected the suspicious use of PsExec inside a large telecoms provider in Southeast Asia. Researchers soon discovered that attackers were using the sysinternals tool to remotely install a previously unknown piece of malware on computers inside the telecoms provider’s network. Symantec later identified the malware as an updated version of Trojan.Rikamanu. The campaign has been operating since last year.