Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Active Chinese Cyberespionage Campaign Rifling Email Servers
'Rare Tools' Employed in 'Operation Diplomatic Specter,' Threat Researchers FindSecurity researchers continue to uncover fresh details concerning China's global cyberespionage campaigns.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
One long-running campaign being tracked by researchers has been targeting at least nine different governments across Asia, the Middle East and Africa. The advanced persistent threat group uses rare or never-before-seen backdoors to maintain persistence in victims' IT environments and regularly hacks into email servers for intelligence.
So said researchers with Unit 42, the threat intelligence group at Palo Alto Networks, who report that the APT group appears to have been active since at least late 2022. Researchers gave the group the codename CL-STA-0043 - short for a cluster of activities attributed to a state-backed group - and are tracking its wider efforts as Operation Diplomatic Specter.
Researchers have watched the group displaying "persistence and adaptability" and wielding "a rare set of tools" as it targets diplomatic and economic missions, high-ranking officials, military entities and various other ministries as well as multiple embassies.
"The threat actor appears to closely monitor contemporary geopolitical developments, attempting to exfiltrate information daily," according to Unit 42. "The threat actor's modus operandi in cases we observed was to infiltrate targets' mail servers and to search them for information. We observed multiple efforts to maintain persistence, including repeated attempts to adapt and regain access when the actor's activities were disrupted."
Researchers found the APT group repeatedly targeting known vulnerabilities, especially the Microsoft Exchange server vulnerabilities known as ProxyLogon, tracked as CVE-2021-26855, and ProxyShell, tracked as CVE-2021-34473 (see: Five Eyes Alliance Advises on Top 10 Initial Attack Vectors).
After infection, the group uses a variety of tools, including a custom backdoor the researchers gave the codename TunnelSpecter, which can fingerprint systems, remotely execute commands and employ DNS tunneling - hence the codename - for command-and-control or communications with the attacker's server and a second backdoor dubbed SweetSpecter.
"Based on our analysis of the SweetSpecter malware, we believe it was written by the same author as TunnelSpecter," Unit 42 said. "We found that it shares code similarities with TunnelSpecter and SugarGh0st," which is a remote access Trojan.
The SugarGh0st RAT was first spotted by Cisco Talos last November. It's a variant of Gh0st RAT, for which source code leaked back in 2008 and which is now effectively open source and widely used by many different attackers.
Cisco Talos last year warned that attackers wielding the SugarGh0st variant since at least August 2023 were targeting users in South Korea, as well as the Uzbekistan Ministry of Foreign Affairs, as part of a cyberespionage campaign. The researchers believed at least some of the initial infections traced to phishing emails that included as an attachment a Windows shortcut containing a malicious JavaScript, which served as a SugarGh0st loader.
"SugarGh0st is a fully functional backdoor that can execute most remote control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell," Talos researchers said at the time in a blog post. "It can also manage the machine's service manager by accessing the configuration files of the running services and can start, terminate or delete the services."
Code and Infrastructure Reuse
Attackers often share and reuse tools, which complicates attribution. Whether or not the same APT group is behind the attacks separately detailed by the Talos and Unit 42 groups, or whatever their relationship might be, isn't clear.
Unit 42 said the infrastructure employed as part of Operation Diplomatic Specter does overlap with what's been seen in multiple other Chinese APT campaigns. One of the main Diplomatic Specter C2 servers, it said, was also used in campaigns attributed to such China-aligned actors as Space Pirates; in Operation Iron Tiger - tied to Iron Taurus, aka APT27; and Operation Exorcist - targeting the Catholic Church - which appears to overlap with the APT group Mustang Panda, aka Stately Taurus.
Anecdotal evidence further suggests the Operation Diplomatic Specter attacks come from hackers with Beijing ties. The Unit 42 researchers said attacks launched by the group generally paralleled Chinese office hours, employed tools - including not just customized versions of Gh0st RAT but also PlugX, Htran and China Chopper - typically used by Chinese APT groups, used malware with Mandarin language code comments and debug strings, and for multiple C2 servers used Chinese Virtual Service providers, including Cloudie Limited and Zenlayer.
China's Intelligence Apparatus
Such attacks represent only a very small fraction of what intelligence analysts say is China's suspected cyberespionage might. One Western intelligence official recently told the BBC that China's intelligence and security agencies are staffed by about 600,000 individuals, more than any other country.
Leaks also show that China employs an array of contractors to facilitate state-sanctioned hack attacks, including for intelligence-gathering purposes (see: iSoon Leak Shows Links to Chinese APT Groups).
The scale of China's cyberespionage efforts is further highlighted by a flurry of recent research reports. including Google Cloud's Mandiant unit report detailing Chinese APT groups' increased use of tough-to-track mesh networks, built using virtual private servers and hacked routers and internet of things devices, to screen their attacks.
Security researchers at Bitdefender separately detailed a new APT group they've dubbed Unfading Sea Haze, which uses malware based on Gh0st RAT, as well as a web shell alternative called SharpJSHandler that has code overlaps with malware previous used by a China-aligned hacking group tracked as APT41, aka Winnti, Wicked Panda and Wicked Spider.