A cyber-espionage group believed to be operating out of China hacked companies who develop satellite communications, geospatial imaging, and defense contractors from both United States and Southeast Asia.
The hacks were detected by US cyber-security firm Symantec, who said today in a report that intruders showed particular interest in the operational side of the breached companies.
Hackers tried to reach and paid close attention to infecting computer systems used for controlling communications satellites or those working with geospatial data collected by world-mapping satellites.
"This suggests to us that [the group]’s motives go beyond spying and may also include disruption," Symantec said. There are fears that hackers might be able or even attempt to sabotage satellites or poison geospatial data.
The company said that responsible for the attacks was an advanced persistent threat (APT, a term used to describe cyber-espionage groups) known under the codename of Thrip.
Symantec says it's been tracking this group since 2013, and it has historically believed the group to be operating out of China.
The recent attacks were difficult to detect, the company said. Hackers used a technique known as "living off the land," which consists of using local tools already available on the operating system to carry out malicious operations.
"The purpose of living off the land is twofold," Symantec explained. "By using such features and tools, attackers are hoping to blend in on the victim’s network and hide their activity in a sea of legitimate processes. Secondly, even if malicious activity involving these tools is detected, it can make it harder to attribute attacks."
According to Symantec, hackers used the following locally-installed and completely legitimate tools...
...to install custom-made malware such as:
Symantec says it detected these attacks only after one of its artificial intelligence and machine learning-based triggered an alert for a suspicious use of a legitimate tool.
Experts say they've used this initial alert to uncover initial signs of compromise and then pulled on a thread to uncover a broader operation targeting multiple companies across multiple countries and industry sectors. The purpose of this hacking campaign was obvious cyber-espionage.
The company says it uncovered this operation in January, but the Thrip hacking campaign could be broader than the company has currently reported.