A group known as Thrip, who is believed to have ties to the Chinese government, has been found targeting satellites, telecom, and defense systems belonging to the United States and other Southeast Asian nations. The group utilizes legitimate networks to launch their attacks on their intended targets. Thrip uses a number of publicly available tools to carry out their actions such as PsExec, Mimikatz, WinSCP, and LogMeIn. The group will infiltrate legitimate networks and then work to keep their actions as quiet as possible and attempt to blend their activities into the infected networks legitimate processes, which is made easier by utilizing publicly available tools. This also affords them an extra layer of protection, when tracking an attack back to its source it will take investigators to another victim’s network. It is believed at this time that the group is possibly looking to compromise the targeted systems for destructive and disruptive purposes rather than just intelligence gathering. With the ongoing conflicts in the South China sea, it would be very beneficial for China to have the option for both intelligence gathering and disruption of “enemy” systems incase conflicts escalate further.
