Experts at Symantec first exposed the
In June 2018, Symantec observed the Thrip group for the first time, at the time the crew has breached the systems of satellite operators, telecommunications companies and defense contractors in the United States and Southeast Asia.
The Thrip group has been active since 2013, but this is the first time Symantec publicly shared details of its activities.
The group has continued launching attacks against entities in Southeast Asia, including military, satellite communications, media and educational organizations. Symantec experts
“Many of its recent attacks have involved a previously unseen backdoor known as Hannotog (Backdoor
Sagerunex is a custom backdoor providing remote access to the attackers, while Catchamas is a
The experts linked the
The targets of the two groups show significant overlap, Billbug also targeted
“What ties the two groups together is the Sagerunex backdoor. This malware appears to be an evolution of an older Billbug tool known as Evora.” continues the report. “By comparing strings and code flow between the two, we found that:
Billbug is a long-established espionage group, active since at least January 2009. Similar to the Thrip sub-group, the wider Billbug group is known for specializing in operations against targets in South Asia.
The link between
“Thrip appears to have been undeterred by its exposure last year, continuing to mount espionage attacks against a wide range of targets in South East Asia.” concludes the report.
“Its link to the Billbug group puts its activities into context and proves its attacks are part of a broader range of espionage activity heavily focused on (but not limited to) governments, armed forces, and communications providers,”