Public Exposure Does Little to Slow China-Based Thrip APT

Over the past year, the cyber-espionage group has attacked at least 12 other companies in the military, telecom, and satellite sectors, Symantec says.

China-based advanced persistent threat group (APT) Thrip continues to pose a major threat to organizations in the satellite, telecommunications, and military sectors in Southeast Asia more than a year after Symantec first exposed its activities.
Far from being deterred by the exposure, the group has continued its attacks unabated on companies in the region. Since June 2018, Thrip has attacked at least 12 high-level targets in multiple countries, including Hong Kong, Indonesia, Malaysia, and the Philippines, Symantec said in an update on Thrips activities this week.
Thrip, which is known for leveraging legitimate tools such as PsExec, PowerShell, and LogMeIn in its attacks, also has added more custom weapons to its arsenal. According to Symantec, the Chinese group recently began using a previously unseen backdoor called Hannotog to try and gain persistent remote access on compromised systems. Hannotog takes advantage of the built-in Windows Management Instrumentation (WMI) component in Windows as part of its execution on victim networks.
Thrip also is using Sagerunex, another backdoor, recent attacks, suggesting a strong link between Thrip and Billbug Group (aka Lotus Blossom), a well-known Chinese cyber-espionage group that has been operating since at least early 2009. Sagerunex appears to be a more evolved version of malware dubbed Evora, which Billbug has been known to use. Based on this and other available telemetry it appears Thrip is a subgroup of Billbug, Symantec
said
.
For organizations on its radar, Thrip presents a clear and present danger, says Vikram Thakur, technical director at Symantec.
Attackers will continue to target organizations regardless of public exposure of their campaigns and tools, he says. [Organizations] in targeted market segments should take note of the techniques leveraged by Thrip and ensure they have appropriate tools to both instrument and respond in case the attacker turns their way.
One complicating factor is Thrips heavy use of legitimate and dual-use tools for lateral movement, credential theft malware execution, and other malicious activities. By hiding its attack traffic in a sea of legitimate traffic, the group — like a growing number of other threat actors — has made it much harder for organizations to stop them using typical antimalware and theft detection tools.
Beyond Cyber Espionage?
Thrips main motive continues to be cyber espionage, Thakur says. But in at least a few of its attacks, the group appears to have gained a dangerous level of access to operational systems.
In one attack on a satellite communications provider that Symantec
investigated
last year, Thrip actors seemed particularly interested in infecting computers that monitored and controlled satellites. In another attack involving a Southeast Asian geospatial imaging and mapping company, Thrip once again went after operational systems. That time, the group attacked systems using for critical application development tasks and those running imaging software and Google Earth Server.
Thakur says Symantec is not sure what exactly the attackers would have been able to do with their access to these systems. Our visibility stops at attackers being able to get onto machines, he notes.
Data from attacks on at least three other communications firms in Southeast Asia suggested Thrip was primarily targeting the companies themselves and not their customers, Symantec said.
For the moment, at least, Thrip appears solely focused on organizations in Southeast Asia. But theres no telling when that might change. While we dont have any evidence of US targeting in the past year of Thrips activity, this can change at any moment, Thakur warns. We always urge peers within targeted verticals to take note of ongoing attacks and bolster their own defenses in the event the attackers change targeting.
Related Content:
How China & Russia Use Social Media to Sway the West
DHS Warns of Data Theft via Chinese-Made Drones
Chinas Great Cannon: The Great Firewalls More Aggressive Partner
The Truth About Your Software Supply Chain

Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
Phishers Latest Tricks for Reeling in New Victims
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Public Exposure Does Little to Slow China-Based Thrip APT