China-based espionage group attacks high level targets

The China-based Thrip group was first exposed in 2018 and has carried out attacks across South East Asia, mainly targeting military organizations and satellite communications operators.

New research from Symantec shows that since June 2018 Thrip has attacked 12 targets located in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam. Analysis of the attacks shows close links to another long-established espionage group called Billbug making it likely the two are the same.

Recent activity has been uncovered by Symantec following the discovery of a Thrip tool, a backdoor called Hannotog which appears to have been used since at least January 2017. Symantec's Targeted Attack Analytics (TAA) allowed it to uncover Hannotog and from there build a picture of the tools, tactics, and procedures the group is using.

Hannotog is a custom backdoor which provides the attackers with a persistent presence on the victim’s network. It has been used in conjunction with several other Thrip tools, including Sagerunex, another custom backdoor providing remote access to the attackers, and Catchamas, a custom Trojan deployed on selected computers of interest and designed to steal information.

"Thrip's recent and earlier campaigns have focused on a range of ambitious targets, including several military targets," says Orla Cox, director of security response at Symantec. “While espionage appears to be the main motive, Thrip's earlier attacks also demonstrated interest in the operational side of a satellite communications operator, indicating disruption as a possible motive. Thrip has continued to target organizations in the satellite communications sector and appears to have been undeterred by its exposure last year, demonstrating that they are a highly-motivated group and unlikely to cease activities any time soon."

You can read more on the Symantec blog.

Photo credit: karen roach / Shutterstock