China-based hacking group targets satellites

US-based cybersecurity firm Symantec Corp has alleged that a China-based hacking group has used malware to extract data from sensitive systems such as satellite operators. The agency did not blame the Chinese government. It noted the malware had the potential to be used for disruptive purposes.

Background

Cyber-attacks are a growing security threat for nations across the world. Last year, in the “WannaCry” virus attack, 200,000 individual users across 150 countries had their information held at ransom by malware. In February this year, the United Kingdom and the United States formally identified Russia as the propagator of the 2017 NotPetya cyber-attacks. The NotPetya attacks affected corporations across the world and led to a loss of approximately $1.2 billion.

China has played an increasing hand in cyber-attacks. In September 2015, in a bid to avert economic sanctions, Chinese President Xi Jinping pledged to President Barack Obama that China would refrain from conducting commercial cyberespionage against the United States. However, China’s cyber espionage and offensive capabilities have continued to develop. China is suspected of cyber-attacks on two US satellites through a ground station in Norway in 2007 and 2008. Beijing is a key suspect in the 2014 attack on a satellite operated by the US National Oceanic and Atmospheric Administration. Chinese officials have been accused of theft of data regarding the F-35, Patriot PAC-3 missile system and the Terminal High Altitude Area Defense system. Earlier this month, Washington Post reported that China had attacked servers belonging to a US Navy contractor, accessing 614 gigabytes of sensitive data on undersea operations. Some have attributed the hack to the Chinese Ministry of State Security (MSS). Read more here.

Satellites are a major vulnerability when it comes to cyber warfare. Studies have noted that nation states are increasingly shifting from traditional capabilities such as the development of anti-satellite (ASAT) weapons, to digital attacks. Satellites and space systems form major channels of communication, strategic coordination, and information gathering. Satellites are therefore vital to national security. Human dependence on systems such as GPS, mean that disruption or manipulation of satellites and other space infrastructure, could affect a country’s military, trade, and financial, and civil sectors. International think tank Chatham House notes, “Cyberattacks on satellites can include jamming, spoofing and hacking attacks on communication networks; targeting control systems or mission packages; and attacks on the ground infrastructure such as satellite control centres.”

Analysis

Symantec Corp, an American cybersecurity and software company headquartered in California, has alleged that China-based hackers have conducted “a wide-ranging cyber espionage campaign” against sensitive targets using “powerful malware”. Symantec is one of the most popular commercial security software companies.

In a recent blog post, Symantec noted that it had been tracking malicious activity by the group “Thrip” since January this year. The agency had tracked down the campaign to computers based in the Chinese mainland. Thrip had reportedly used a “living off the land strategy” to surreptitiously attempt to infiltrate a number of sensitive operations including a satellite communications operator, Southeast Asia telecom operators, a defense contractor, and an organization involved in geospatial imaging and mapping.

By using “living off the land” tools, the attackers would manipulate legitimate software already installed on the user’s computer “to compromise victims’ networks”. This makes it harder to determine the identity of the perpetrator. PsExec, a “Microsoft Sysinternals tool for executing processes on other systems” was the most widely used software for this purpose. Symantec claimed that it had identified attempts to to “remotely install a previously unknown piece of malware on computers within the victim’s network.” The company identified the malware as an “an updated version of Trojan.Rikamanu,” which it could link back to Thrip.

The agency noted that the malware was targeted towards “infecting computers running software that monitors and controls satellites,” and may have been looking to target telecom operators rather than their consumers. “This suggests to us that Thrip’s motives go beyond spying and may also include disruption,” Symantec wrote. “Espionage is the group’s likely motive but given its interest in compromising operational systems, it could also adopt a more aggressive, disruptive stance should it choose to do so.”

The company told media that it had shared information with the FBI and Department of Homeland Security, as well as agencies in Asia. Officials told Reuters that the hackers had been removed from the infected systems. Observers have noted that the report comes at a particularly sensitive time. President Trump has approved the lifting of a ban on Chinese telecom firm ZTE amidst widespread congressional opposition on the basis of security concerns.

Assessment

Our assessment is disruptions to satellite systems could have disastrous consequences to civil and military operations worldwide. As stated previously, we believe that cyber-attacks are a new form of asymmetric warfare and must be treated as tangible threats to national security. We believe that states must begin developing frameworks to improve both offensive and defensive cyber capabilities.