China-linked hackers breached defence companies: Symantec


A new attack campaign originating from computers in China has infiltrated satellite communications, telecoms, geospatial imaging, and defence organisations in the US and Southeast Asia, warns cybersecurity giant Symantec.

The latest campaign is being conducted by the Thrip group, security researchers at Symantec said on Tuesday. 

"This is likely espionage," Greg Clark, Symantec CEO, said in a statement.

"Alarmingly, the group seems keenly interested in telecom, satellite operators, and defence companies. We stand ready to work with appropriate authorities to address this serious threat," Clark added.

Symantec said it has been monitoring Thrip since 2013, and has discovered new tools and techniques used by the group in this most recent set of attacks.

The company said its Artificial Intelligence (AI)-based "Targeted Attack Analytics" (TAA) technology helped researchers expose the new attack campaign from the Thrip group.

TAA leverages AI and advanced machine learning to comb through Symantec's data lake of telemetry in order to spot patterns associated with targeted attacks. 

"The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organisations won't notice their presence," Clark said.

"They operate very quietly, blending in to networks, and are only discovered using AI that can identify and flag their movements."

From an initial alert triggered by TAA in January 2018, Symantec researchers were able to follow a trail that enabled them to determine that the campaign originated from machines based in mainland China.

Using these techniques, TAA detected suspicious behaviour despite the group's use of legitimate operating system features and network administration tools in an attempt to evade detection. 

This technology also uncovered the use of custom malware in these attacks, as well as identifying the types of organisations targeted, Symantec said.