Cybersecurity firm Symantec has revealed a Chinese-linked hacking campaign that targeted satellite communications and telecommunications networks in the United States and Southeast Asia.
Researchers using Symantec’s AI-driven Targeted Attack Analytics (TAA) system uncovered activity attributed to a group tracked by the company as “Thrip.” What appeared at first glance to be routine system behavior was flagged by TAA, prompting a deeper investigation that exposed the campaign.
According to Greg Clark, Symantec’s CEO, the operation is likely espionage in nature. “Thrip has been active since 2013,” Clark said. “Their latest campaign relies on built-in operating system tools and standard network administration utilities, allowing them to operate quietly and avoid easy detection.”
Symantec’s analysis indicates Thrip blends into legitimate network traffic and system processes, making their presence difficult to spot without machine-assisted detection. The group’s activities show a marked focus on telecom providers, satellite operators, and defense-related organizations, prompting Symantec to offer cooperation with relevant authorities to address the threat.
Investigators traced command-and-control activity back to machines located in mainland China. The attackers exploited legitimate operating system features and administrative tools to conceal their actions and reduce the likelihood of triggering alerts from conventional security monitoring.
While the primary motive appears to be intelligence gathering, Symantec warns that the campaign could shift toward more disruptive or destructive behavior if adversaries gain deeper access to operational systems.
The report arrives amid broader international concern about the security implications of Chinese telecommunications equipment. Governments and regulators in countries such as Australia and the United States have previously raised questions about national security risks related to certain suppliers, and Symantec’s findings are likely to intensify those discussions.
This investigation highlights the growing role of AI and behavioral analytics in detecting sophisticated, low-and-slow intrusion campaigns that rely on legitimate tools and minimal noisy indicators. It also underscores the importance for organizations in critical infrastructure sectors—particularly satellite communications, telecoms, and defense contractors—to continuously harden their environments, monitor administrative tool use, and work closely with cybersecurity vendors and authorities when suspicious activity is detected.
What do you think of Symantec’s findings? Share your perspective in the comments.
Interested in hearing industry leaders discuss incidents like this and share practical experiences and use cases? Consider attending the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam to learn more.