A group called Thrip, based in mainland China, has allegedly been caught infiltrating “satellite communications, telecoms, geospatial imaging, and defense organizations in the United States and Southeast Asia,” according to a June 19 press release from California-based cybersecurity company Symantec.
Using an “artificial intelligence-based” system called Targeted Attack Analytics, Symantec said it had first detected Thrip’s presence in January 2018 which the company’s researchers then tracked down.
Thrip apparently uses “legitimate operating system features and network administration tools in an attempt to evade detection” and “custom malware.”
“This is likely espionage,” said Symantec CEO Greg Clark in the press release. “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence. They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies. We stand ready to work with appropriate authorities to address this serious threat.”
Symantec did not say which companies were targeted, but in a blog researchers noted Thrip targeted machines running MapXtreme GIS (Geographic Information System) software, Google Earth Server, Garmin imaging software, and software that monitors and controls satellites.
The conclusion reached was that Thrip might have goals that “go beyond spying and may also include disruption.”
This not the first time Thrip has been accused of being responsible for cyber-espionage. Symantec said it has been monitoring the group since 2013.
In 2015 the U.S. and China made an agreement that “neither country will conduct economic espionage in cyberspace,” according to the Washington Post.
Thrip hasn’t been spotted being active since that agreement, according to Cyberscoop, until now.
Read more from Symantec.