China APT Stole Geopolitical Secrets From Middle East, Africa & Asia

A Chinese state-aligned threat group has been exfiltrating emails and files from high-level government and military targets across the Middle East, Africa, and Southeast Asia on a daily basis since late 2022.

Operation Diplomatic Specter, a brazen espionage campaign described in a new report by Palo Alto Networks' Unit 42, targets ministries of foreign affairs, military entities, embassies, and more, in at least seven countries on three continents. Its goal is to obtain classified and otherwise sensitive information about geopolitical conflicts, diplomatic and economic missions, military operations, political meetings and summits, high-ranking politicians and military personnel, and, most of all, embassies and foreign affairs ministries.

The campaign is ongoing, and the attackers have already demonstrated a willingness to continue spying, even after being exposed and booted from compromised networks.

Diplomatic Specter's Tools

Diplomatic Specter attacks begin by targeting Web servers and Microsoft Exchange servers. The attackers exploit these Internet-facing assets using two critical but 3-year-old vulnerabilities — ProxyLogon, and ProxyShell — and in-memory VBScript implants.

With initial access in hand, the group has made use of a total of 16 malicious tools. Some are common open source programs, like the nbtscan scanning tool JuicyPotatoNG, a privilege escalation tool for Windows, and Mimikatz for credential theft. Some are more singular, like Yasso, a relatively new and powerful Chinese pen-testing tool attackers can use for brute forcing, scanning, interactive shell, arbitrary command execution, and more. Never before have threat actors been recorded using Yasso in the wild.

Diplomatic Specter also makes use of some notorious Chinese malware families like PlugX and China Chopper. Most notably, it uses Gh0st RAT, both as a means of cementing its foothold in targeted systems and as an inspiration for Diplomatic Specter's own custom backdoors.

First there's SweetSpecter, a new variant of 2023's reemerged Gh0st RAT, largely designed for effective command-and-control (C2) communications. Then there's TunnelSpecter, which, in addition to C2 tunneling, fingerprints victim machines and enables arbitrary command execution. TunnelSpecter is hardcoded with the username SUPPORT_388945c0, an open-faced attempt to mimic the default account SUPPORT_388945a0 associated with Windows' Remote Assistance feature.

The point of all this is to reach a high-value target's email inbox, from which Diplomatic Specter will begin silently exfiltrating sensitive emails and files. Sometimes, the group exfiltrates a victim's entire inbox. Other times it's more specific, using keyword searches to filter matters of interest to the People's Republic of China — military data, telecommunications and energy info, material related to Xi Jinping, Joe Biden, and other political leaders, and so on.

The Case for Layered Defense

Defending against Diplomatic Specter begins with blocking its means of initial access, by patching and otherwise hardening Internet-facing assets. After all, its very important victims seem to have fallen to vulnerabilities known to the public for quite a while before any attacks occurred.

After that, says Assaf Dahan, director of Cortex threat research at Palo Alto Networks, it's all about defense in depth.

"We see organizations from all over the world that don't practice good cyber hygiene, and they leave huge windows for hackers to walk in," he says. "[You need] all the layers of security that you can get: good network monitoring, detection and response, cloud email solutions.

"Once you've put up enough fences, it's really making it harder for bad actors to waltz into your network."