CONNECTING THE DEFENCE COMMUNITY WITH INSIGHT, INTELLIGENCE & OPPORTUNITIES

Officially Supported By: dco_logo_land_webonly_k dcb_logo_land_webonly_k
Official Media Partners for: dPRTE_logo_land_webonly_k

As cyber espionage becomes more prevalent and the methods used more sophisticated, analysts at Symantec are beginning to explore how artificial intelligence and machine learning could thwart potential attacks more quickly. 

According to the Security Response Attack Investigation Team at Symantec, groups engaged in cyber espionage have grown wise to traditional detection techniques, opting instead to exploit the features or administrative tools inherent in an operating system to compromise networks more discreetly. It’s a shrewd approach Symantec has dubbed ‘living off the land’. Doing so enables hackers to disguise their activities amid a ‘sea of legitimate processes’; and as more hackers adopt this approach, the process of attributing attacks and distinguishing one group from another becomes all the more muddled. 

While this trend doesn’t necessarily mean espionage attacks are going undiscovered, it does mean that they can take longer for analysts to investigate. Hence Symantec’s Targeted Attack Analytics (TAA) technology, which applies advanced artificial intelligence and machine learning to sift through data streams and distinguish targeted attack patterns with greater efficiency. 

So far, artificial intelligence has proven to be a force multiplier in the fight against cyber espionage. In January, TAA queried routine activity on the network of a large telecoms operator in Southeast Asia. Hackers had attempted to exploit PsExec to move laterally between computers, it later emerged. For the uninitiated, PsExec is a dedicated Microsoft Sysinternals tool able to execute processes on other systems. Unfortunately, its legitimacy has made the tool a frequent target for those looking to live off the land. 

TAA was not only able to identify the breach, however; it was also able to explain to Symantec the hackers’ methods. They had attempted to remotely install a piece of previously unknown malware (Infostealer.Catchamas) on computers linked to the company’s network. Armed with this knowledge, Symantec was able to broaden its search criteria and cast a global net in the hope of identifying similar instances. Soon, analysts had uncovered a wide-ranging campaign of cyber espionage which saw powerful malware used to unsettling effect.  

Symantec has since christened the organisation responsible ‘Thrip’, presumably in reference to the garden pest of the same name. Thrip was tracked to China, where Symantec linked three terminals to cyber attacks with a similar modus operandi. Targets included organisations operating in the communications, geospatial imaging and defence sectors, both in the United States and Southeast Asia. 

“This is likely espionage,” confirmed Symantec CEO Greg Clark. “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organisations won’t notice their presence. They operate very quietly, blending into networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecoms, satellite operators and defence companies. We stand ready to work with appropriate authorities to address this serious threat.” 

According to Symantec, the most troubling discovery was the suspected targeting of a satellite communications operator. Here, the operational side of the business was of particular interest to Thrip. Hackers had attempted to infiltrate computers running software used to monitor and control active satellites. For Symantec, this revelation has big implications – it suggests that Thrip’s motives go beyond espionage and may even include disruption. 

Elsewhere, a second organisation – this time specialising in geospatial imaging and mapping – was targeted. Again, Thrip took great interest in the operational side of things. Computers running MapXtreme Geographic Information System (GIS) software – used to develop custom geospatial applications or integrate location-based data into other applications – were waylaid, as were machines running Google Earth Server and Garmin imaging software. 

Thrip went on to target three separate Southeast Asia-based telecoms operators. In each instance, based on the nature of the computers compromised by Thrip, it appeared that the telecoms companies themselves – and not their customers – were the intended targets of the attacks. Finally, Symantec identified a fourth target of interest – a defence contractor – though the specifics of that attack have yet to be disclosed. 

Whether any of this would have been possible without Symantec’s Targeted Attack Analytics technology remains to be seen. But artificial intelligence and machine learning certainly have the potential to tip the scales of cyberspace in security’s favour. Anyone operating in the defence sector, where security is of critical importance, would be wise to take note. 

If you would like to join our community and read more articles like this then please click here.

cyber security malware Symantec

Post written by: Robert Atherton


LATEST STAKEHOLDER

Become a Stakeholder today and benefit from an exclusive marketing package which will allow you to:

  • Engage with active defence buyers and key supply chain partners
  • Create your own branded micro-site which within Defence Online which is managed by you
  • Have a dedicated Digital Account Manager to help enhance your Stakeholder page
  • Promote your news, products, press releases, eBooks and Videos as a Defence Online partner which feeds through to our homepage and social media channels
  • Have your company promoted on our partner website Defence Contracts Online (DCO)
  • All news promoted in mynewsdesk, a major hub for all of our news articles which enables news to be picked up from trade magazines, national newspapers and many other publications which offers extra exposure at no additional cost!

Contact us today or call us on 0845 557 1315 to take advantage of this exclusive marketing package

RELATED ARTICLES

November 28, 2018

Homeland - Dstl recognised at Institution of Engineering and Technology Awards

Representatives from the Defence Science and Technology Laboratory (Dstl) have received an award in recognition of their work in the

November 7, 2018

Five Steps MOD Organisations Can Take to Help Guard Against the Next Cyberattack

Paul Parker, Chief Technologist, Federal & National Government, SolarWinds provides his insight into the steps organisations should take to protect against the ever-evolving cyber threat.  The devastating impact of the WannaCry cyberattack