Hacking groups are getting busy--or perhaps busier. Symantec announced that attackers believed to be located in China have targeted satellite, telecommunications, and defense companies in the U.S. and Southeast Asia. Meanwhile, researchers at Kaspersky revealed that the Olympic Destroyer group that targeted the Winter Olympic Games 2018 in Pyeongchang, South Korea has set its sights on biological and chemical threat protection labs in Europe.
The attacks discovered by Symantec are thought to be the work of Thrip, a hacking group the company has been tracking since 2013, and were traced back to three computers in China. Symantec discovered attacks on a satellite communications operator, a geospatial mapping company, three Southeast Asian telecom operators, and a U.S. defense contractor. All of these targets would be high priorities for China-sponsored attackers.
Hacks traced back to China are often motivated by corporate espionage. (Why bother going through R&D yourself when you can just steal another company's work?) Symantec believes these attacks may have a different motive--disrupting the companies' operations. Thrip is said to have specifically targeted devices that monitor and control satellites, for example, or which are used to develop custom geospatial applications.
Thrip is said to use a variety of readily available hacking tools and custom malware as part of its attacks. This mix of tools is supposed to make it harder to attribute the attacks to the group and effectively allow Thrip to hide in plain sight, to paraphrase Symantec. Still, the company said it's already protecting its customers from Thrip's attacks, and has advised its customers on the best ways to make sure the hacking group can't affect them.
Kaspersky's discovery is even less straightforward. The company said it's observed attacks on Russia's financial sector, as well as organizations in Ukraine, the Netherlands, Germany, and other European countries. This seeming lack of focus raises several possibilities: the attackers could be targeting Russia's financial sector as a "false flag" or distraction tactic, for example, or they could be taking on jobs for various groups.
Regardless of the motivations, these attacks could still be damaging, and Kaspersky said they'll only get harder to attribute or defend against:
"The resistance to and deterrence of threats such as Olympic Destroyer should be based on cooperation between the private sector and governments across national borders. Unfortunately, the current geopolitical situation in the world only boosts the global segmentation of the internet and introduces many obstacles for researchers and investigators. This will encourage APT attackers to continue marching into the protected networks of foreign governments and commercial companies. The best thing we can do as researchers is to keep tracking threats like this. We will keep monitoring Olympic Destroyer and report on new discovered activities of this group."