China-based hack hit satellite firms: Symantec

SAN FRANCISCO • A sophisticated hacking campaign launched from computers in China burrowed deeply into satellite operators, defence contractors and telecommunications companies in the United States and South-east Asia, security researchers at Symantec Corp say.

Symantec said the effort appeared to be driven by national espionage goals, such as the interception of military and civilian communications.

Such interception capabilities are rare but not unheard of, and the researchers could not say what communications, if any, were taken.

More disturbingly in this case, the hackers infected computers that controlled the satellites so they could have changed the positions of the orbiting devices and disrupted data traffic, Symantec said on Tuesday.

"Disruption to satellites could leave civilian as well as military installations subject to huge (real-world) disruptions," said Mr Vikram Thakur, technical director at Symantec.

"We are extremely dependent on their functionality."

Satellites are critical to phone and some Internet links, as well as mapping and positioning data.


Disruption to satellites could leave civilian as well as military installations subject to huge (real-world) disruptions. We are extremely dependent on their functionality.

MR VIKRAM THAKUR, technical director at Symantec.

Symantec, based in Mountain View, California, described its findings ahead of a planned public release.

It added that the hackers had been removed from infected systems.

Symantec said it has already shared technical information about the hack with the US Federal Bureau of Investigation (FBI) and Department of Homeland Security, along with public defence agencies in Asia and other security firms. The FBI did not respond to a request for comment.

Mr Thakur said Symantec detected the misuse of common software tools at client sites in January, leading to the campaign's discovery at unnamed targets.

He attributed the effort to a group that Symantec calls Thrip, which may be called different names by other companies.

Thrip was active from 2013 and then vanished from the radar for about a year until the last campaign started a year ago. In that period, it developed new tools and began using more widely available administrative and criminal programs, Mr Thakur said.

Other security analysts have also recently tied sophisticated attacks to Chinese groups that had been out of sight for a while, and there could be an overlap.

In March, cyber security firm FireEye said a group it called Temp.Periscope reappeared last summer and went after defence companies and shippers.

FireEye had no immediate comment on the new episode.

It was unclear how Thrip gained entry to the latest systems. In the past, it depended on trick e-mails that had infected attachments or led recipients to malicious links. This time, it did not infect most user computers, instead it moved among servers, making detection harder.

Following its customary stance, Symantec did not directly blame the Chinese government for the hack. It said the hackers launched their campaign from three computers in China. In theory, those machines could have been compromised by someone elsewhere.

Symantec provides the most widely used paid security software for consumers and an array of higher-end software and services for companies and public agencies.


A version of this article appeared in the print edition of The Straits Times on June 21, 2018, with the headline 'China-based hack hit satellite firms: Symantec'. Print Edition | Subscribe