View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Symantec Identifies Major Security Breach in Defence Contractor and Satellites

Attackers using computer operating systems to install malware

By CBR Staff Writer

A satellite communications operator and a defence contractor are among the targets of a cyber-security breach identified by Symantec.

Symantec a cyber-security organisation have exposed what they believe is cyber espionage activities by a group called Thrip, located in mainland China.

The breaches were identified by Symantec’s AI based Target Attack Analytics (TAA) software. It was the TAA that highlighted oddities last January in a large telecommunication operator in Southeast Asia.

Outlining the results of their investigation in a blog post, Symantec shed light on how the TAA runs through “Symantec’s data lake of telemetry in order to spot patterns associated with targeted attacks. Its advanced AI automates what previously would have taken thousands of hours of analyst time.”

The TAA spotted an attacker using PsExec to move laterally through computers within the telecommunication operator’s company network.

“PsExec is a Microsoft Sysinternals tool for executing processes on other systems and is one of the most frequently seen legitimate pieces of software used by attackers attempting to live off the land,” noted Symantec.

Living off the Land refers to the practice of attackers using a computers’ own operating systems to compromise computers with malware.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Organisational Vulnerabilities

Speaking to Computer Business Review Scott Walker, Senior Solutions Engineer at Bomgar told us: “In this attack the hackers needed two things, insecure access and a privileged account that let them move laterally in their systems.”

“It’s common for businesses to have antivirus and intrusion detection tools in place to protect their networks, and these state-sponsored attacks take note of what solutions businesses typically employ and use them to identify the vulnerabilities in an organisations’ defence.”

In their investigation Symantec found an updated version of Trojan.Rikamanu malware. This particular malware is associated with Thrip, a group Symantec have been monitoring since 2013.

Not only did the TAA flag the malicious use of the PsExec, it also informed Symantec that the attackers were attempting to remotely install the above Trojan.

Upon further investigation they uncovered a new piece of malware called Infostealer.Catchamas which is designed to syphon off information from a compromised computer.

Four Targets Discovered

Starting with the telecommunication company, Symantec have gone on to identify three more targets of Thrip, these are an organisation involved in geospatial imaging and mapping, a defence contractor and a satellite communications operator.

Symantec believe that the attack on the satellite communications operator was aimed at the operational side of the organisation and that the attackers were: “looking for and infecting computers running software that monitors and controls satellites.” This could mean that the greater intention was not just to monitor information, but was aimed at disruption as well, stated Symantec.

“We’d be naïve to say that these types of attacks aren’t going to happen,” Scott Walker told Computer Business Review.

When your organisation is under attack it is about reducing how much access and ground the attackers can take: “employing a tool that can rotate privileged credentials en-masse in the event of a breach can shut down any further access or lateral movement from a threat actor.”

“With cybercriminals already understanding that access and identity management is a weakness in today’s organisations, it’s time for businesses to prioritise defending against these methods of attacks.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU