A Chinese group called Thrip has launched a wave of cyberattacks in the last 18 months and has specifically targeted a satellite operator, a telecommunication company, a geospatial imaging company and a defense contractor, the security company Symantec announced June 19.
The news marks yet another allegation of digital espionage from the Asian giant.
Symantec said the attacks raise the possibility that communications traffic could be intercepted or altered.
“This is likely espionage,” said Greg Clark, Symantec CEO. “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence. They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements.”
In one case, Thrip targeted a satellite communications operator’s “operational side of the company,” preying on infected computers that ran software and controls satellites.
“This suggests to us that Thrip’s motives go beyond spying and may also include disruption,” the group added in a blog post.
In another case, a geospatial imaging and mapping organization was targeted, seeking out machines that ran Google Earth Server and Garmin imaging software.
A defense contractor was also targeted, according to Symantec, although the group did not provide more details. Three telecommunications operators in southeast Asia were also allegedly targeted.
Beginning in 2013, evidence suggests Thrip first used custom malware to infect targets. But since 2017, the group has “switched to a mixture of custom malware and ‘living off the land tools’” meaning targeting essential operating systems of a network.
The allegation is another example of China targeting American defense contractors. Cyberattacks sponsored by the Chinese government infiltrated a U.S. defense contractor’s computers in early 2018, according to the Washington Post. Sensitive data regarding a submarine anti-ship missile was allegedly stolen.