Symantec: China-based espionage group continues cyberattacks in SEA

Cybersecurity company Symantec uncovered a new activity of what it claims as China-based espionage group that has been launching attacks in countries in Southeast Asia including Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam.

Called Thrip, the group is specifically targeting highly sensitive areas such as military organizations, satellite communications operators, and a diverse range of other preys in the region.

In its blogpost, Symantec said Thrip has attacked at least 12 organizations, all located within Southeast Asia since it first published its activities in June 2018. The most recent detected activity of the cyber espionage group is in July 2019, targeting the satellite communications sector.

Symantec was able to detect Thrip’s latest activity with Targeted Attack Analytics (TAA) technology, available in Symantec Endpoint Detection and Response (EDR).

The cybersecurity firm, in its first discovery of the group, traced three computers in China being used to launch the Thrip attacks.

The group has been using “previously unseen backdoor” called Hannotog. Another backdoor called Sagerunex led Symantec to believe that Thrip is related to “another long-established espionage group called Billbug (a.k.a. Lotus Blossom).” The cybersecurity firm concludes that Thrip and Billbug, which has been operating since 2009, are one and the same.

Symantec said Billbug has been using spear-phishing emails or watering hole attacks to gain entry using Microsoft Office and PDF documents. When unsuspecting victims clicked on these email file attachments, the group then deploys malicious software (malware).

“To date, many of the group’s targets have been governments or military organizations,” Symantec said in the blog post.

While Thrip has been targeting many other groups that could feed on their criminal activities, it has set its eyes on military targets in two different countries, which Symantec did not reveal. “It has also attacked organizations in the maritime communications, media, and education sectors.”

However, Symantec raised alarm over Thrip’s attack on a satellite communications operator by trying to infect its “computers running software that monitored and controlled satellites.”

What made Symantec believe that the two groups could be just one is its use of the same Sagerunex backdoor. It compared strings and code for the groups or group activities including the code for logging in both is the same, the logging string format is similar, Evora is just more verbose, the log name for both starts with “\00EV,” and the command and control (C&C) communication code flows are similar.

According to Symantec, Thrip continues with its activities even if its activities were exposed last year.

“Its link to the Billbug group puts its activities into context and proves its attacks are part of a broader range of espionage activity heavily focused on (but not limited to) governments, armed forces, and communications providers,” Symantec said.