Symantec has published a report on a large-scale cyberattack conducted from the territory of China against telecommunications companies, communication satellite operators and defense contractors in the United States and Southeast Asia.
According to Symantec experts, the cyberattack focused on espionage and intercepting data from both civil and military communication channels. In the course of the attack, the threat actor infected computers used to control communication satellites and collect geospatial data. This could have potentially resulted in unauthorized changes to device positions in orbit and interference in the process of transferring data.
Symantec experts believe that Thrip, a hacker group monitored since 2013, was behind the attack.
To infect systems with malware, the attackers used legitimate tools and administration utilities, including PsExec, Mimikatz, WinSCP and LogMeIn. They employed this tactic to mask their activity and remain undetected. The malware used included Rikamanu and Syndicasec Trojans, Catchamas information-stealing malware, Mycicil keylogger and Spedear backdoor.