APT Group Thrip Targets Geospatial, Telecommunications, and Defense Companies

According to researchers at Symantec, since at least January 2018, cyber-espionage advanced persistent threat (APT) group “Thrip” has targeted multiple US and Southeast Asian companies in the geospatial, telecommunications, and defense industries, showing a particular interest in communications satellites and geospatial imaging and mapping. The group, believed to be operating out of China, used a technique known as “living off the land” in which threat actors utilize legitimate operating system tools to carry out malicious functions in order to hide their activity and make attribution of attacks more difficult. The following legitimate tools have been used by Thrip: PsExec, PowerShell, WinSCP, LogMeIn, and Mimikatz, though the latter is often used for malicious purposes. Using these legitimate tools, the group installs the following custom malware variants: Rikamanu, Catchamas, Mycicil, Spedear, and Syndicasec. While this activity appears to be part of a highly-targeted cyber-espionage campaign, the group’s targeting of operational systems could indicate an interest in obtaining disruptive capabilities as well. The NJCCIC recommends users and administrators in the geospatial, telecommunications, and defense industries, as well as other organizations that may be considered high-value targets for cyber-espionage activity, review the Symantec report and scan networks using the IOCs provided. Organizations are encouraged to employ cybersecurity best practices and consider integrating an anomaly-based intrusion detection system to identify potentially malicious behavior even when legitimate tools are used.