‘Targeted espionage campaign targets telecom and satellite companies’

Security firm Symantec says it has uncovered a spy campaign targeting telecom providers and a company involved in satellite communications. The targets are said to be in the US and Southeast Asia.

In a blog post, the company writes that in January it noticed an attack on a major telecommunications company in Southeast Asia. By examining the malware used, it concluded that it was a group that refers to it as Thrip and has been tracking it since 2013. Based on the established patterns, such as the use of modified and new malware, it was able to identify other attacks. Another target was a satellite communications company, where the attackers appeared to be primarily interested in infecting systems used to control and monitor satellites.

According to Symantec, the malware used mainly served to steal information, such as login details. Among the other targets was also a company engaged in the collection of geo-information. In this case, for example, the attackers targeted systems running the so-called MapXtreme GIS software. Symantec also reports further targets, such as other telecommunications companies in Southeast Asia and a US defense contractor.

In the attacks, which were allegedly carried out from computers in China, the Thrip group made extensive use of existing Windows tools and other software, for example to further penetrate an organization’s network. Among the Windows tools are psexec and PowerShell, but the attackers also took advantage of Mimikatz and LogMeIn, the security company said. Psexec, a tool to run programs on other systems, is more commonly used to penetrate networks further, for example in the NotPetya attack.

Symantec states that the use of these tools makes it more difficult to identify a person responsible for the attacks due to their generic nature. Moreover, detection would be more difficult, because they often involve legitimate tools.