Symantec said it has identified a hacking campaign launched from China targeting satellite operators, defense contractors and telecommunications companies in the United States and southeast Asia.

The US-based cyber security firm said the hackers infected computers that controlled the satellites, so that they could have changed the positions of the orbiting devices and disrupted data traffic.

Greg Clark, Symantec CEO said: “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence.”

Thrip’s attackers could intercept or even alter communications traffic from enterprises and consumers, Symantec said. This has added to privacy concerns that have been very visible lately with the deployment of the new GDPR regulations as well as the VPNFilter attacks on Internet routers.

“Disruption to satellites could leave civilian as well as military installations subject to huge disruptions,” said Vikram Thakur, technical director at Symantec.

Symantec, based in Mountain View, California, said the hackers had been removed from infected systems.

Symantec has already shared technical information about the hack with the U.S. Federal Bureau of Investigation and Department of Homeland Security, along with public defense agencies in Asia and other security companies, Reuters reported.

Symantec detected the misuse of common software tools at client sites in January, leading to the campaign’s discovery at unnamed targets.

Symantec said Thrip, a name for this cyber-attack, was active from 2013, and vanished from the radar for about a year until the last campaign started a year ago. It recently developed new tools and started using more widely available administrative and criminal programs.

FireEye, a cyber-security firm, in March said a group it called Temp.Periscope reappeared last summer and went after defense companies and shippers.

In the past, Thrip depended on trick emails that had infected attachments or led recipients to malicious links. This time, Thrip did not infect most user computers, instead moving among servers, making detection harder.

Symantec did not directly blame the Chinese government for the hack. It said the hackers launched their campaign from three computers on the mainland. In theory, those machines could have been compromised by someone elsewhere.

Symantec’s artificial intelligence-based Targeted Attack Analytics (TAA) technology was instrumental in the discovery of the attack. TAA leverages AI and machine learning to comb through Symantec’s data lake of telemetry to spot patterns associated with targeted cyber attacks.