Table of Contents
Scientists shed light on the existence of a new cyber-espionage group on Thursday, which has been behind a series of targeted hacks of diplomatic entities and telecommunications companies in Africa and the Middle East since at least 2017. Hackers targeted the African and middle eastern countries because it is easier to exfiltrate data due to not-so-advanced security measures.
Known as “BackdoorDiplomacy,” the campaign targets the weak points in internet-linked devices, namely web servers, so hackers can conduct a wide range of cyberattacks, including the deployment of a turian implant capable of stealing sensitive data stored on removable media. Therefore, attackers got away without getting noticed for such a long time. However, researchers are keen on dismantling the array of cyberattacks.
Head of threat research at Slovak cybersecurity firm said:
“BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S.”
The Chinese Chopper web shell is designed to make initial contact with the compromised server, providing initial access through which to conduct reconnaissance and install malware, leveraging unpatched security vulnerabilities on both Windows and Linux operating systems. MacOS remained out of reach of attackers for its security protocols and protected communication between devices and the servers.
System targets include F5 BIG-IP devices (CVE-2020-5902), Microsoft Exchange servers, and Plesk management panels for web hosting. A number of foreign affairs ministries in African, Middle Eastern, and Asian countries have been affected. Furthermore, at least one Middle Eastern charity and at least one African telecom provider have also been affected by this attack.
How the criminal group stay unnoticed for four years?
The researchers found that operator tactics, techniques, as well as procedures (TTP) were similar in each case, but that tools were modified, even within close geographic areas, likely making it more difficult to track the group. In addition to BackdoorDiplomacy, Kaspersky is tracking a Chinese-speaking group called CloudComputing for similar activities.
ESET researchers found that Turian’s network encryption protocol is nearly identical to that of Whitebird, including its ability to gather system information, take screenshots, and perform file operations. A C++ backdoor operated by Calypso, a threat actor based in Asia, was installed within diplomatic organizations in Kazakhstan and Kyrgyzstan in the same period that BackdoorDiplomacy was active.