In a recent report published by cybersecurity firm Symantec, detail of a new advanced persistent threat (APT) group targeting satellite and defense companies have been revealed to the public. An APT can be seen as a set of stealthy and continuous computer hacking processes. In general APT processes require a high degree of covertness over a long period of time. The “advanced” process signifies the sophisticated techniques using malware to exploit vulnerabilities in systems. The “persistent” process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The “threat” process indicates human involvement in orchestrating the attack. Symantec having tracking and investigating the group since 2013 and have decided to call the group in question “Thrip”.
In the murky world of cyber espionage researchers have noticed groups adopting “living off the land” tactics. Such tactics involve the use of operating system features or legitimate network administration tools to compromise victims’ networks. It would appear that these tactics are adopted for two reasons. Firstly, by using such features and tools, attackers are hoping to blend in on the victim’s network and hide their activity in a sea of legitimate processes allowing for the stealthy and continuous stealing of information. Secondly, even if malicious activity involving these tools is detected, it can make it harder to attribute attacks. While many such groups are adopting these so-called “living off the land” tactics, Thrip is no different.
Thrip’s modus operandi is to use a combination of custom malware and legitimate tools in its attacks. The pieces of malware used by the group include Trojan.Rikamanu, a Trojan designed for stealing credentials and other information from compromised systems, and Infostealer.Catchamas, an evolution of Rikamanu that includes improved data theft and anti-detection capabilities. Symantec has also seen the group using Trojan.Mycicil, a keylogger offered on Chinese underground marketplaces but which has not been seen often, and Backdoor.Spedear and Trojan.Syndicasec. The last two have been seen in the group’s older attacks and campaigns.
As for the legitimate tools used by the cyberspies, the list includes the Windows SysInternals utility PSExec, PowerShell, the post-exploitation tool Mimikatz, the open source FTP client WinSCP, and the LogMeIn remote access software. All of these tools, barring Mimikatz, which is almost always used maliciously, have legitimate uses. For example, PowerShell is widely used within enterprises and the vast majority of scripts are legitimate. Similarly, PsExec is frequently used by systems administrators.
In January of this year, Symantec researchers were alerted to an attack on a large telecoms operator in Southeast Asia. It was observed that the attacker was using PsExec to move laterally between computers on the company’s network. It was this malicious use of a legitimate process that caused alarm. Symantec researchers, with the assistance of machine learning threat detection software, were quickly able to determine that the attackers were attempting to remotely install a previously unknown piece of malware on computers within the victim’s network. After a bit of analysis, it was determined that the malware was an updated version of Trojan.Rikamanu. Malware that the group had been using since 2013.
It was then discovered that Thrip was targeting a satellite communications operator. The group seemed incredibly interested in the operational side of business looking for an infecting computers running software that monitors and controls satellites. This suggests to us that Thrip’s motives go beyond spying and may also include disruption. Another target was an organization involved in geospatial imaging and mapping. Again, Thrip seemed to be mainly interested in the operational side of the company. In order to steal this information, the group targeted computers running MapXtreme GIS (Geographic Information System) software. Such software is used for tasks such as developing custom geospatial applications or integrating location-based data into other applications. It also targeted machines running Google Earth Server and Garmin imaging software.
From the researchers' analysis, it was determined that group had also targeted three different telecoms operators, all based in Southeast Asia. In all cases, it appeared that the telecom companies themselves and not their customers were the targets of these attacks. Last, but certainly not least, the group targeted a defense contractor. None of the companies targeted have been named specifically. This is probably because they are clients of Symantec and the firm would not want to prejudice any of their clients.
A Highly Targeted Espionage Campaign
Greg Clark, CEO of Symantec, believes Thrip’s most recent campaign is most likely for espionage purposes. Clark further stated,
“The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence. They operate very quietly, blending into networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies. We stand ready to work with appropriate authorities to address this serious threat.”
When APT groups use “living off the land” tactics the task of detecting the threat is made infinitely harder. By creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. This is where security firms adopting artificial intelligence and machine learning could be at a major advantage. Automated AI has the potential of drastically reducing time frames; if done right what would take researchers thousands of hours can be done in a matter of hours. This, in turn, leads to faster detection and analysis time with regards to cybersecurity.