Tech

Operation Diplomatic Specter: Chinese APT Targeting Government Entities

Inside Operation Diplomatic Specter – Chinese APT Tactics Exposed

Published on May 28th, 2024

A large-scale cyber espionage campaign, dubbed Operation Diplomatic Specter, has been targeting governmental entities across the Middle East, Africa, and Asia since at least late 2022.

The culprit? A Chinese advanced persistent threat (APT) group exhibiting meticulous planning and a focus on sensitive information.

Stealthy Tactics For Long-Term Espionage

Researchers at Palo Alto Networks Unit 42 unearthed critical details about Operation Diplomatic Specter.

Their findings reveal a Chinese state-aligned actor conducting long-term espionage against at least seven government entities.

The attacks involved a sophisticated approach, leveraging rare email exfiltration techniques to gather intelligence on a massive scale.

Targeting The Heart Of International Relations

The campaign specifically targeted diplomatic and economic missions, embassies, military operations, political meetings, and high-ranking officials within the targeted countries.

By infiltrating ministries of foreign affairs, the attackers aimed to collect classified information on geopolitical issues, diplomatic and economic activities, military actions, political gatherings, and individuals of high importance.

Chinese APT Tactics Exposed

Unraveling The APT’s Arsenal

This Chinese APT group, previously tracked as CL-STA-0043, has been assigned the temporary codename TGR-STA-0043.

Their tools of choice included previously undocumented backdoors like TunnelSpecter and SweetSpecter, both variants of the infamous Gh0st RAT malware.

TunnelSpecter utilizes DNS tunneling for stealthy data exfiltration, while SweetSpecter shares similarities with SugarGh0st RAT, another Gh0st RAT variant employed by suspected Chinese actors.

These custom backdoors provided the attackers with persistent access to target networks, enabling them to execute commands, steal data, and deploy additional malicious tools.

Relentless Pursuit Of Sensitive Data

The APT group exhibited a laser focus on acquiring highly sensitive information.

Researchers observed daily attempts to exfiltrate data, including details on military operations, diplomatic missions and embassies, and the inner workings of foreign affairs ministries.

The attackers targeted mail servers, scouring them for relevant information.

They even displayed persistence, attempting to regain access after being detected and ejected from compromised systems.

Their methods involved exploiting known vulnerabilities in Exchange servers, such as ProxyLogon and ProxyShell.

China Leaves Its Mark

The Chinese connection to Operation Diplomatic Specter is further strengthened by the group’s use of infrastructure typically associated with China-linked actors like APT27, Mustang Panda, and Winnti.

Additionally, their reliance on tools like the China Chopper web shell and PlugX solidifies the attribution.

Inside Operation Diplomatic Specter

Exfiltrated Data Reveals Strategic Objectives

The specific email exfiltration techniques employed provide valuable insights into the APT group’s objectives.

Their focus on highly sensitive information, including details on military activities, diplomatic affairs, and foreign ministries, underscores their goal of comprehensive intelligence gathering on geopolitical matters.

Frequently Asked Questions (FAQs)

What is Operation Diplomatic Specter?

Operation Diplomatic Specter is a large-scale cyber espionage campaign targeting governments in the Middle East, Africa, and Asia. A Chinese APT group is behind the attacks, aiming to steal sensitive information.

What kind of information were they after?

The attackers focused on acquiring classified data related to military operations, diplomatic activities, and foreign affairs.

How can governments protect themselves from such attacks?

Government entities should prioritize robust cybersecurity measures, including patching vulnerabilities, implementing email security protocols, and raising awareness among employees about phishing attempts.