China-Based Hacking Campaign Breached Satellite and Defense Companies, Says Symantec

June 20, 2018 Updated: June 21, 2018

SAN FRANCISCO—A sophisticated hacking campaign launched from computers in China had burrowed deeply into satellite operators, defense contractors, and telecommunications companies in the United States and southeast Asia, according to security researchers at software company Symantec.

Symantec said on June 19 that the effort appeared to be driven by national espionage goals, such as the interception of military and civilian communications.

Such interception capabilities are rare but not unheard of, and the researchers could not say what communications, if any, were taken. More disturbingly, in this case, the hackers infected computers that controlled satellites, so that they could have changed the positions of the orbiting devices and disrupted data traffic, Symantec said.

“Disruption to satellites could leave civilian as well as military installations subject to huge (real world) disruptions,” said Vikram Thakur, technical director at Symantec. “We are extremely dependent on their functionality.”

Satellites are critical to phone and internet service, as well as mapping and positioning data.

Symantec, based in Mountain View, California, described its findings to Reuters exclusively ahead of a planned public release. It said the hackers had been removed from infected systems.

Symantec said it has already shared technical information about the hack with the U.S. Federal Bureau of Investigation (FBI) and Department of Homeland Security, along with public defense agencies in Asia and other security companies. The FBI did not respond to a request for comment.

Thakur said Symantec detected the misuse of common software tools at client sites in January, leading to the discovery of the hacking campaign at unnamed targets.

Other security analysts have also recently tied sophisticated attacks to Chinese groups that had been out of sight for a while—and there could be overlap. Cybersecurity firm FireEye said in March that a group called Temp.Periscope reappeared last summer and went after defense companies and shippers. FireEye had no immediate comment on the new episode.

Following its customary stance, Symantec did not directly blame the Chinese regime for the hack. It said the hackers launched their campaign from three computers on the mainland. In theory, those machines could have been compromised by someone elsewhere.

By Joseph Menn