Chinese APT “Thrip” Identified
By David Fratini on October 25, 2019
In early September Symantec information security researchers discovered that a “new” Chinese cyber espionage group detected last June, “Thrip”, is actually a subsidiary of another, larger Chinese espionage organization and has been active for a decade. The parent organization, “Lotus Blossom”, is an established and highly active APT based in China with ties to the People’s Liberation Army (PLA).
Thrip was identified through a custom backdoor it developed, Hannotog, which takes advantage of Windows Management Instrumentation (WMI). It was first detected in a Malaysian organization where it was flagged by a Symantec commercial IDS. Using proprietary AI, Symantec is able to compare attacks in near real-time to a massive library of prior incidents. The software is capable of identifying extremely subtle patterns in attacks through its examinations, much more quickly than previously possible. The signature of malware flagged by a Symantec system is added to this library in conjunction with useful metadata to contextualize the flagged data. This is what allowed Symantec’s AI to identify Hannotog as a tool of Thrip and later linked to Lotus Blossom through a second backdoor known as Sagerunex, which is an evolution of a backdoor used by Lotus Blossom.
Retrieved from Symantec
Since being identified in June, Thrip has conducted attacks on over a dozen organizations in Southeast Asia. Thrip’s targets are telecommunications companies, mapping and geospatial organizations, and defense contractors, and to a lesser extent maritime and educational targets.
In Southeast Asia, specifically Indonesia, Malaysia, the Philippines, and Vietnam, several large telecommunications companies have been breached by Thrip. Interestingly it seems that the organizations themselves, not their customers were the target.
Thrip seems especially interested in targets that monitor and control satellites. The express purpose of targeting of satellite communications is inconclusive, however, as China is aggressively pursuing a 5G program it is within the realm of possibility that they are looking to monitor other telecom developers in the Pacific region. According to a June, 2019 Forbes article, this theory is plausible. Forbes cybersecurity contributor Zak Doffman discusses how Chinese assets have targeted Nokia and Ericsson (the leading organizations working on 5G technologies outside of China’s Huawei) to identify and exploit vulnerabilities, and then passed these results to 5G testers in an effort to give Huawei a competitive edge.
In December of 2018 Meng Wanzhou, CFO of Huawei, was arrested at the Vancouver International Airport by Canadian authorities for violation of international sanctions on Iran and defrauding of several financial institutions. China responded aggressively and made claims of white supremacy and unethical targeting of Chinese tech companies while simultaneously refusing to acknowledge evidence of spyware in Huawei hardware and services or the charges which were levied against Ms. Wanzhou.
Huawei’s rival company in China, ZTE, has also faced accusations violating international sanctions on Iran, which shows a disturbing pattern. It seems that Chinese tech firms have no reservations in breaking the law, violating moral boundaries, or creating privacy violating technology so long as it supports Chinese interests. At the same time, the only issue the Communist Party of China seems to find when these facts come to light is with the organizations confronting the violations – the line between corporate and communist authorities seems to be very thin indeed.
According to the New Jersey Cyber Security & Communication Integration Cell (NJCCIC):
… users and administrators in the geospatial, telecommunications, and defense industries, as well as other organizations that may be considered high-value targets for cyber-espionage activity, review the Symantec report and scan networks using the IOCs provided. Organizations are encouraged to employ cybersecurity best practices and consider integrating an anomaly-based intrusion detection system to identify potentially malicious behavior even when legitimate tools are used.
The Symantec report referred to can be found at:
Despite Symantec’s impressive software, it still took over a year to identify Thrip as a component of Lotus Blossom. One reason for this is that Thrip operatives rely heavily on “living off the land” techniques. Living off the land refers to exploitation techniques that pre-existing, built-in tools of OS and network environments. In addition to being significantly harder to detect, the use of built-in tools leaves fewer clues for investigators who would typically focus on malware signatures to identify the source of an attack.
Ironically, Thrip’s attempts at covertly traversing networks aided Symantec in detecting them. Thrip’s unorthodox use of PsExec was detected by heuristic-based monitoring software which noticed PsExec exhibiting behavior that deviated from baselines.
Thrip is also capable of deploying sophisticated malware, especially against systems of acute interest. Catchamas, a Trojan designed to discreetly exfiltrate data, was developed by Thrip and used in several attacks on telecommunications organizations. Deconstruction of the malware showed sophisticated techniques designed to evade detection.
In the past, Chinese cyber-espionage has been more “turn-and-burn”, with aggressive exfiltration of as much data as possible. The emergence of Thrip marks (at least a partial) departure from these methods and a drift towards the quiet surveillance and sabotage seen from adversaries such as Russia. Analysis of the backdoor Hannotog further supports the theory that Chinese agents are looking at persistence as a primary objective in their cyber-espionage activities rather than infiltration and loud, aggressive retrieval. Despite this focus on persistence it is apparent that exposure will not deter, or even slow, Thrip’s activities. Usually, after a high-profile incident in which cyber-espionage activities are revealed we witness a significant downtick in the group’s activities; such as with Russia and North Korea after the Podesta and South Korean bank hacks respectively. With Thrip, we have not seen this slowing of activities.
We can expect Thrip to continue its attacks and potentially expand its operations outside of Southeast Asia in the coming months. The Communist Party continues to deny involvement and block investigation attempts, slowing the attribution and positive identification process.
APT Group Thrip Targets Geospatial, Telecommunications, and Defense Companies — NJCCIC. (2018, June 26). Retrieved from https://www.cyber.nj.gov/alerts-and-advisories/20180626/apt-group-thrip-targets-geospatial-telecommunications-and-defense-companies?rq=thrip
Burt, J. (2019, September 11). Chinese APT Group ‘Thrip’ Powers Ahead. Retrieved from https://www.bankinfosecurity.com/chinese-apt-group-thrip-powers-ahead-a-13077
Canadian Department of Justice Office of Public Affairs. (2019, January 28). Chinese Telecommunications Conglomerate Huawei and Huawei CFO Wanzhou Meng Charged With Financial Fraud. Retrieved from https://www.justice.gov/opa/pr/chinese-telecommunications-conglomerate-huawei-and-huawei-cfo-wanzhou-meng-charged-financial
Chinese cyber-espionage group Thrip targets organizations in South East Asia Hacker News. (2019, September 10). Retrieved from https://cyware.com/news/chinese-cyber-espionage-group-thrip-targets-organizations-in-south-east-asia-10316c8a
Doffman, Z. (2019, June 1). Huawei: China’s State Hackers ‘Rigging 5G Tests’ Against Nokia And Ericsson. Retrieved from forbes.com 9/27/2019
Kovacs, E. (2019, September 9). China-Linked ‘Thrip’ Cyberspies Continue Attacks on Southeast Asia | SecurityWeek.Com. Retrieved from https://www.securityweek.com/china-linked-thrip-cyberspies-continue-attacks-southeast-asia
Menn, J. (2018, June 19). China-based campaign breached satellite, defense companies -Symantec. Retrieved from https://www.reuters.com/article/china-usa-cyber/china-based-campaign-breached-satellite-defense-companies-symantec-idUSL1N1TL1K1
Thrip: Ambitious Attacks Against High Level Targets Continue. (2019, September 9). Retrieved from https://www.symantec.com/blogs/threat-intelligence/thrip-apt-south-east-asia
Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. (2109, June 19). Retrieved from https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
Vavra, S. (2019, September 9). Symantec finds that a ‘new’ Chinese hacking group has actually been around for a decade. Retrieved from https://www.cyberscoop.com/thrip-lotus-blossom-symantec-china/
Vijayan, J. (2019, September 27). Public Exposure Does Little to Slow China-Based Thrip APT. Retrieved from https://www.darkreading.com/attacks-breaches/public-exposure-does-little-to-slow-china-based-thrip-apt/d/d-id/1335764