Cybersecurity experts revealed a new cyber espionage cell responsible for a series of targeted operations against diplomatic facilities and telecommunications companies in Africa and the Middle East since at least 2017.
The campaign, dubbed BackdoorDiplomacy, involves targeting vulnerabilities in devices exposed to the Internet, such as web servers, to conduct a variety of cyber hacking activities, including moving laterally across the network to deploy a custom implant called Turian that is capable of exfiltrating sensitive data stored on removable media.
Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET said, “BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S.”
Reconnaissance and lateral movement
After the initial compromise, the BackdoorDiplomacy group frequently used open-source reconnaissance and Red Team technologies to scan the environment for new attack targets and lateral movement. The tools listed include:
- EarthWorm is a basic network tunnel that includes SOCKS v5 server and port transfer features.
- Mimikatz, as well as various versions such as SafetyKatz
- Nbtscan, a command-line NetBIOS scanner for Windows
- NetCat, a network program that reads and sends data over network connections.
- PortQry, a program that displays the status of TCP and UDP ports on remote systems
- SMBTouch, used to determine if a target is vulnerable to EternalBlue
Various NSA tools from the ShadowBrokers dump, including but not limited to:
The following directories are frequently used for staging recon and lateral movement tools:
- C:Program FilesWindows Mailen-US
- C:ProgramDataESETESET SecurityLogseScan
- %USERPROFILE%ESETESET SecurityLogseScan
- C:Program Fileshphponcfg
- C:Program Fileshphpssa
Cybercriminal group can attack both Windows and Linux operating systems
The cross-platform group is able to attack both Windows and Linux operating systems. They target management interfaces for network devices and servers with open ports on the Internet, most likely using the China Chopper web shell for initial access and using it to explore and install the backdoor.
Platforms attacked include F5 BIG-IP devices (CVE-2020-5902), Exchange Server, and Plesk web hosting control panels. Victims have been identified at Foreign Ministries in several African countries as well as Europe, Middle East, and Asia. In addition to that, African telecommunications providers and at least one Middle Eastern charity were targeted.
BackdoorDiplomacy is believed to overlap with previously documented activities of a Chinese-language organization called CloudComputing, Kaspersky said.
According to ESET, the network encryption protocol used by Turian is nearly identical to that used by WhiteBird, a C++ backdoor operated by an Asian threat actor called Calypso that was installed in diplomatic organizations in Kazakhstan and Kyrgyzstan during the same time period as Backdoo.