Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/9/2019
01:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Public Exposure Does Little to Slow China-Based Thrip APT

Over the past year, the cyber-espionage group has attacked at least 12 other companies in the military, telecom, and satellite sectors, Symantec says.

China-based advanced persistent threat group (APT) Thrip continues to pose a major threat to organizations in the satellite, telecommunications, and military sectors in Southeast Asia more than a year after Symantec first exposed its activities.

Far from being deterred by the exposure, the group has continued its attacks unabated on companies in the region. Since June 2018, Thrip has attacked at least 12 high-level targets in multiple countries, including Hong Kong, Indonesia, Malaysia, and the Philippines, Symantec said in an update on Thrip's activities this week.

Thrip, which is known for leveraging legitimate tools such as PsExec, PowerShell, and LogMeIn in its attacks, also has added more custom weapons to its arsenal. According to Symantec, the Chinese group recently began using a previously unseen backdoor called Hannotog to try and gain persistent remote access on compromised systems. Hannotog takes advantage of the built-in Windows Management Instrumentation (WMI) component in Windows as part of its execution on victim networks.

Thrip also is using Sagerunex, another backdoor, recent attacks, suggesting a strong link between Thrip and Billbug Group (aka Lotus Blossom), a well-known Chinese cyber-espionage group that has been operating since at least early 2009. Sagerunex appears to be a more evolved version of malware dubbed Evora, which Billbug has been known to use. Based on this and other available telemetry it appears Thrip is a subgroup of Billbug, Symantec said.

For organizations on its radar, Thrip presents a clear and present danger, says Vikram Thakur, technical director at Symantec.

"Attackers will continue to target organizations regardless of public exposure of their campaigns and tools," he says. "[Organizations] in targeted market segments should take note of the techniques leveraged by Thrip and ensure they have appropriate tools to both instrument and respond in case the attacker turns their way." 

One complicating factor is Thrip's heavy use of legitimate and dual-use tools for lateral movement, credential theft malware execution, and other malicious activities. By hiding its attack traffic in a sea of legitimate traffic, the group — like a growing number of other threat actors — has made it much harder for organizations to stop them using typical antimalware and theft detection tools.

Beyond Cyber Espionage?
Thrip's main motive continues to be cyber espionage, Thakur says. But in at least a few of its attacks, the group appears to have gained a dangerous level of access to operational systems.

In one attack on a satellite communications provider that Symantec investigated last year, Thrip actors seemed particularly interested in infecting computers that monitored and controlled satellites. In another attack involving a Southeast Asian geospatial imaging and mapping company, Thrip once again went after operational systems. That time, the group attacked systems using for critical application development tasks and those running imaging software and Google Earth Server.

Thakur says Symantec is not sure what exactly the attackers would have been able to do with their access to these systems. "Our visibility stops at attackers being able to get onto machines," he notes.

Data from attacks on at least three other communications firms in Southeast Asia suggested Thrip was primarily targeting the companies themselves and not their customers, Symantec said.

For the moment, at least, Thrip appears solely focused on organizations in Southeast Asia. But there's no telling when that might change. "While we don't have any evidence of US targeting in the past year of Thrip's activity, this can change at any moment," Thakur warns. "We always urge peers within targeted verticals to take note of ongoing attacks and bolster their own defenses in the event the attackers change targeting."  

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Phishers' Latest Tricks for Reeling in New Victims."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The State of Email Security and Protection
Mike Flouton, Vice President of Email Security at Barracuda Networks,  11/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18881
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.
CVE-2019-18882
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled.
CVE-2019-18873
PUBLISHED: 2019-11-12
FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the pa...
CVE-2019-18874
PUBLISHED: 2019-11-12
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.