Who Is Thrip and Why Is It Doing These Awful Things?

Symantec Infographic on Thrip Attacks

Symantec Infographic on Thrip Attacks

If your list of things to worry about isn’t long enough, let WC introduce you to Thrip.

Thrip is the name assigned to a group of China-based hackers. They use a mix of legitimate tools that are a part of most computer operating systems and hacking tools. They’ve been in action since at least 2013.

Symantec, the security software company, recently published a blog report on Thrip’s latest efforts.1

There were four known targets: an unnamed company that monitors and manages satellite communications. Thrip left digital footprints showing they were trying to install software that wouldn’t just capture data, but tools that would let them disrupt and even control satellites. That’s concerning. Imagine the network of satellites that enable the global positioning system (GPS) being shut off.

A second target was a geospatial imaging and mapping company. Hacking maps would be a useful tool in any kind of warfare. Thrip also targeted computers running Google Earth Server and Garmin imaging software. It would be useful if the enemy could booger your maps when they wanted.

A third group of targets was a set of southeast Asia telecommunications companies. Again, Thrip’s goal appears to have been operation of the companies, not information about customers. This is cyberwarfare, not someone harvesting data about individuals for identity theft and the like.

The fourth target was an unnamed defense contractor. The apparent purpose of that attack was not described by Symantec.

If those targets don’t worry you enough, equally worrying is Thrip’s approach to hacking. Instead of using custom malware, Thrip relies primarily on legitimate, native code in the operating system. For example, Thrip was caught making extensive use of a legitimate part of the Windows operating system called PsExec, a software tool that allows Computer A to install software on Computer B. It’s much harder to detect and stop legitimate software tools when they are being run for a malicious purpose.

In some ways, the U.S. has traded a Cold War for a Code War. And it is starting to get ugly.


  1. Always take hacking reports from a security software company with a grain of salt. After all, they are in the business of selling security software and nothing sells security software better than reports of new computer security breaches. But this appears to be entirely legit.