Symantec Helps Uncover Cyber Espionage Activity Targeting Satellite, Telecom, Geospatial Imaging and Defense Companies in the US and Southeast Asia

Symantec Corp., the world’s leading cyber security company, today announced that Symantec’s artificial intelligence-based Targeted Attack Analytics (TAA) technology helped researchers expose a new attack campaign from a group called Thrip, which has infiltrated satellite communications, telecoms, geospatial imaging, and defense organizations in the United States and Southeast Asia. TAA’s advanced AI technology was instrumental in the discovery of the attack, alerting Symantec’s Attack Investigations team to activity that on the surface appeared innocuous but set them on the path to uncovering the latest campaign conducted by the Thrip group. Symantec has been monitoring Thrip since 2013, and has discovered new tools and techniques used by the group in this most recent set of attacks.

TAA leverages AI and advanced machine learning to comb through Symantec’s data lake of telemetry in order to spot patterns associated with targeted attacks. This technology essentially automates what previously took thousands of hours of analyst time and is available in Symantec’s Advanced Threat Protection (ATP) product. From an initial alert triggered by TAA in January 2018, Symantec researchers were able to follow a trail that enabled them to determine that the campaign originated from machines based in mainland China. Using these techniques, TAA detected suspicious behavior despite the group’s use of legitimate operating system features and network administration tools in an attempt to evade detection. TAA also uncovered the use of custom malware in these attacks, as well as identifying the types of organizations targeted. Cyber espionage is the group’s likely motive, but given the group has revealed a strategy of compromising operational systems, it could adopt a more aggressive, disruptive stance should it choose to do so.

“This is likely espionage,” said Greg Clark, Symantec CEO. “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence. They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies. We stand ready to work with appropriate authorities to address this serious threat.”

Symantec has sharpened its efforts on network-resident malware, as the many vulnerabilities that are widely known in IOT devices present a new attack surface of extreme interest.

Thrip’s attack on telecoms and satellite operators exposes the possibility that the attackers could intercept or even alter communications traffic from enterprises and consumers. This has added to growing privacy concerns that have been very visible lately with the deployment of the new GDPR regulations as well as the VPNFilter attacks on Internet routers. Symantec has responded by opening a new privacy center and data protection lab in order to provide consumers with more control over their data, and organizations with tools to help them responsibly manage the data they handle. Symantec also offers a wide variety of privacy solutions, such as Symantec VIP and Norton WiFi Privacy.

Symantec has been protecting customers from Thrip-related activity since 2013. The following protections are in place to protect customers against Thrip:

File-based protection

  • Trojan.Rikamanu
  • Infostealer.Catchamas
  • Hacktool.Mimikatz
  • Trojan.Mycicil
  • Backdoor.Spedear
  • Trojan.Syndicasec

Customers of Symantec’s DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have received multiple reports on “ATG14” (also known as Thrip), which detail methods of detecting and thwarting activities of this adversary.