Chinese hacking operation uncovered; penetrated key satellite companies and more
Software company Symantec has discovered that Chinese hackers have compromised computer systems operated by satellite operators, defence contractors and telecommunications companies in the United States and southeast Asia.
A hacking group known as Thrip, which has been monitored by Symantec since 2013, is the likely perpetrator due to the attempted install of their calling card malware “Trojan.Rikamanu” on affected computers.
The group also used a completely new piece of malware in this attack called “Infostealer.Catchamas”.
Three computers in China were being used to launch the Thrip attacks Symantec said.
“Thrip’s motive is likely espionage and its targets include those in the communications, geospatial imaging, and defence sectors, both in the United States and Southeast Asia,” it said in a blog post.
Such interception capabilities are rare but not unheard of, and the researchers could not say what communications, if any, were taken.
The hackers targeted a satellite communications operator and infected computers that controlled their satellites, theoretically allowing them to change the positions of the orbiting devices and disrupted data traffic.
“Disruption to satellites could leave civilian as well as military installations subject to huge (real world) disruptions,” said Vikram Thakur, technical director at Symantec. “We are extremely dependent on their functionality.”
Satellites are critical to phone and some internet links as well as mapping and positioning data.
Another target was an organisation involved in geospatial imaging and mapping and Thrip targeted computers running MapXtreme GIS (Geographic Information System) software which is used for tasks such as developing custom geospatial applications or integrating location-based data into other applications. It also targeted machines running Google Earth Server and Garmin imaging software.
Symantec said the hackers had been removed from infected systems and it has already shared technical information about the hack with the US Federal Bureau of Investigation and Department of Homeland Security, along with public defence agencies in Asia and other security companies.
Thrip was active from 2013 on and then vanished from the radar for about a year until the last campaign started a year ago. In that period, it developed new tools and began using more widely available administrative and criminal programs, Thakur said.
It was unclear how Thrip gained entry to the latest systems. In the past, it depended on trick emails that had infected attachments or led recipients to malicious links. This time, it did not infect most user computers, instead moving among servers, making detection harder.
Following its customary stance, Symantec did not directly blame the Chinese government for the hack. It said the hackers launched their campaign from three computers on the mainland. In theory, those machines could have been compromised by someone elsewhere.
Last year, Vietnam was targeted by Chinese hackers during a period of tension between the two countries over the South China Sea.