ktsdesign - Fotolia

China-based Thrip hacking group targets U.S. telecoms

News roundup: China-based Thrip hacking group used legitimate tools to attack companies in the U.S. and Southeast Asia. Plus, election officials didn't know about hacks, and more.

A Chinese cyberespionage group has been using "living off the land" techniques to hack satellite, telecom and defense companies in Southeast Asia and the United States.

According to the Security Response Attack Investigation Team at security software company Symantec Corp., the Thrip hacking group has been using legitimate admin tools and features to compromise networks -- a tactic called "living off the land."

"The purpose of living off the land is twofold," the Symantec researchers explained in a blog post. "By using such features and tools, attackers are hoping to blend in on the victim's network and hide their activity in a sea of legitimate processes. Secondly, even if malicious activity involving these tools is detected, it can make it harder to attribute attacks."

Symantec said it used its Targeted Attack Analytics tool to scan for attack patterns, which is what led the researchers to uncover these attacks in January 2018. According to the research, an attacker was using PsExec -- a free Microsoft command-line tool used to execute processes on other systems -- in a telecom company in Southeast Asia to remotely install the Trojan.Rikamanu malware, which has been previously associated with the Thrip hacking group.

From there, Symantec said, "we broadened our search to see if we could find similar patterns that indicated Thrip had been targeting other organizations. We uncovered a wide-ranging cyberespionage campaign involving powerful malware being used against targets that are a cause for concern."

Symantec researchers found three computers in China that were being used to launch targeted attacks in the communications, geospatial imaging and defense industries in both Southeast Asia and the U.S.

"Thrip's motive is likely espionage," Symantec said, noting that the Thrip hacking group took particular interest in the operation side of a satellite communications operator. "This suggests to us that Thrip's motives go beyond spying and may also include disruption."

Symantec said it has been tracking the Thrip hacking group since 2013 and had noticed its tactics have evolved over the years. Initially, Thrip used primarily custom malware; now, it uses these living-off-the-land tools and strategies. The legitimate tools Thrip uses include PsExec, PowerShell, Mimikatz, WinSCP and LogMeIn.

In other news:

  • According to a report from The Intercept, election officials in some states were unaware that Russian hackers attempted to breach their voting systems in the months before the 2016 U.S. presidential election. The report said officials in North Carolina, for example, didn't learn of the attacks until they were publicized in the media, and the information about the potential threat never reached state officials because of tensions between the various intelligence agencies. According to a National Security Agency assessment obtained by The Intercept, the cyberattacks on the 2016 election were carried out by the Russian General Staff Main Intelligence Directorate, which aimed to breach VR Systems' electronic voting software in important swing states.
  • South African financial services provider Liberty Holdings Ltd. suffered a breach, and the hackers are demanding millions of dollars in exchange for the stolen data. In a notice on Liberty's website, the company said, "At this stage we are able to confirm that the information accessed as a result of the breach comprised largely of e-mails and attachments and further, that this matter is currently under investigation by the relevant authorities." The breach reportedly affected "sensitive data" about "top clients." According to a report from Bloomberg, Liberty refused to pay the ransom, and the company said there is no evidence so far that there has been any financial loss for its customers.
  • Competing cybersecurity companies CrowdStrike Inc. and Cylance Inc. both announced significant funding this week. CrowdStrike raised $200 million in financing, while Cylance raised $120 million. CrowdStrike is an endpoint security company that works to secure cloud-based devices with threat intelligence. The company has helped with incident response efforts after the Sony Pictures hack and the attacks on the Democratic National Committee. Cylance works with artificial intelligence and machine learning to defend against malware-based attacks, and it was founded by former McAfee CTO, Stuart McClure. Cylance said it plans to use the funds to further develop its global presence and add to the products it offers.

Dig Deeper on Threats and vulnerabilities