According to the Security Response Attack Investigation Team at Symantec, groups engaged in cyber espionage have grown wise to traditional detection techniques, opting instead to exploit the features or administrative tools inherent in an operating system to compromise networks more discreetly. It’s a shrewd approach Symantec has dubbed ‘living off the land’. Doing so enables hackers to disguise their activities amid a ‘sea of legitimate processes’; and as more hackers adopt this approach, the process of attributing attacks and distinguishing one group from another becomes all the more muddled.
While this trend doesn’t necessarily mean espionage attacks are going undiscovered, it does mean that they can take longer for analysts to investigate. Hence Symantec’s Targeted Attack Analytics (TAA) technology, which applies advanced artificial intelligence and machine learning to sift through data streams and distinguish targeted attack patterns with greater efficiency.
So far, artificial intelligence has proven to be a force multiplier in the fight against cyber espionage. In January, TAA queried routine activity on the network of a large telecoms operator in Southeast Asia. Hackers had attempted to exploit PsExec to move laterally between computers, it later emerged. For the uninitiated, PsExec is a dedicated Microsoft Sysinternals tool able to execute processes on other systems. Unfortunately, its legitimacy has made the tool a frequent target for those looking to live off the land.
TAA was not only able to identify the breach, however; it was also able to explain to Symantec the hackers’ methods. They had attempted to remotely install a piece of previously unknown malware (Infostealer.Catchamas) on computers linked to the company’s network. Armed with this knowledge, Symantec was able to broaden its search criteria and cast a global net in the hope of identifying similar instances. Soon, analysts had uncovered a wide-ranging campaign of cyber espionage which saw powerful malware used to unsettling effect.
Symantec has since christened the organisation responsible ‘Thrip’, presumably in reference to the garden pest of the same name. Thrip was tracked to China, where Symantec linked three terminals to cyber attacks with a similar modus operandi. Targets included organisations operating in the communications, geospatial imaging and defence sectors, both in the United States and Southeast Asia.
“This is likely espionage,” confirmed Symantec CEO Greg Clark. “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organisations won’t notice their presence. They operate very quietly, blending into networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecoms, satellite operators and defence companies. We stand ready to work with appropriate authorities to address this serious threat.”
According to Symantec, the most troubling discovery was the suspected targeting of a satellite communications operator. Here, the operational side of the business was of particular interest to Thrip. Hackers had attempted to infiltrate computers running software used to monitor and control active satellites. For Symantec, this revelation has big implications – it suggests that Thrip’s motives go beyond espionage and may even include disruption.
Elsewhere, a second organisation – this time specialising in geospatial imaging and mapping – was targeted. Again, Thrip took great interest in the operational side of things. Computers running MapXtreme Geographic Information System (GIS) software – used to develop custom geospatial applications or integrate location-based data into other applications – were waylaid, as were machines running Google Earth Server and Garmin imaging software.
Thrip went on to target three separate Southeast Asia-based telecoms operators. In each instance, based on the nature of the computers compromised by Thrip, it appeared that the telecoms companies themselves – and not their customers – were the intended targets of the attacks. Finally, Symantec identified a fourth target of interest – a defence contractor – though the specifics of that attack have yet to be disclosed.
Whether any of this would have been possible without Symantec’s Targeted Attack Analytics technology remains to be seen. But artificial intelligence and machine learning certainly have the potential to tip the scales of cyberspace in security’s favour. Anyone operating in the defence sector, where security is of critical importance, would be wise to take note.
If you would like to join our community and read more articles like this then please click here.