China Cyberespionage Group Hacks Satellite, Telecom and Defense Firms

Over the past year, a known cyberespionage group from China has been targeting satellite communications companies, telecom operators and defense firms from the United States and Southeast Asia.

The group, tracked as Thrip by researchers from Symantec, has been operating since 2013 and uses a combination of custom-made malware. However, in the latest attacks, it also began abusing popular system administration tools including PowerShell, PsExec, WinSCP, LogMeIn and Mimikatz to perform lateral movement, a tactic known as “living off the land” in the security industry.

In fact, it was the group’s use of PsExec, a Microsoft Sysinternals utility, inside the network of a large telecom operator from Southeast Asia in January that raised an alert in a Symantec product that uses machine learning to discover threats.

The subsequent investigation led to the uncovering of additional victims that had been compromised by the group since last year, including a satellite communications operator, an organization involved in geospatial imaging and mapping, two other telecom firms and a defense contractor.

The attackers seemed particularly interested in the operational side of the companies, targeting systems that are used to monitor and control satellites or that run specialized software including MapXtreme GIS (Geographic Information System), Google Earth server and Garmin imaging software.

“This suggests to us that Thrip’s motives go beyond spying and may also include disruption,” the Symantec researchers warned in a blog post.

In the case of telecom operators, evidence also suggests the attackers were not interested in their customers, but in the companies themselves.

While investigating the latest attacks, the Symantec researchers discovered a new version of Rikamanu, a custom Trojan program associated with the group, that allows stealing credentials and other information from infected computers.

The researchers also found a completely new malware program they dubbed Infostealer.Catchamas, which is based on Rikamanu but has additional features and capabilities including the ability to steal information from the latest browsers.

Other malware programs associated with Thrip’s past activity but not seen in the latest attacks are a keylogger called Mycicil, a backdoor program called Spedear and another Trojan known as Syndicasec.

“From the initial alert triggered by TAA, we were able to follow a trail that eventually enabled us to see the bigger picture of a cyber espionage campaign originating from computers within China and targeting multiple organizations in the U.S. and Southeast Asia,” the Symantec researchers concluded. “Espionage is the group’s likely motive but given its interest in compromising operational systems, it could also adopt a more aggressive, disruptive stance should it choose to do so.”

Critical Vulnerabilities Patched in Industrial Ethernet Switches

Four serious vulnerabilities were found and patched in industrial Ethernet switches made by Phoenix Contact, an electrical engineering and automation company. If left unpatched, some of the flaws could allow attackers to execute malicious commands and code on the networking devices, which are used in facilities from various industries.

The most serious vulnerability is tracked as CVE-2018-10730 and has a CVSS of 9.1 out of 10, according to researchers from Positive Technologies, who found the flaws. By exploiting this vulnerability attackers could execute rogue commands on the switches, including a command to disconnect all devices which would cause disruptions on industrial networks.

Another vulnerability, CVE-2018-10731 (CVSS 9.0), allows unauthorized access to OS files on the switches, while a third flaw, CVE-2018-10728 (CVSS 8.1), can be exploited to execute arbitrary code, perform denial-of-service or disable web and telnet services. The fourth vulnerability, CVE-2018-10729 (CVSS 5.3), allows attackers to read the configuration files of the affected switches.

The flaws affect FL SWITCH models 3xxx, 4xxx and 48xx. Phoenix Contact has released firmware version 1.34 to fix the vulnerabilities, so users are advised to update the firmware on their devices as soon as possible.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin