How Chinese threat group stole geopolitical secrets from the Middle East, Africa and Asia
A Chinese state-aligned threat group has been exfiltrating emails and files from high-level government and military targets across the Middle East, Africa, and Southeast Asia on a daily basis since late 2022.
Operation Diplomatic Specter, a brazen espionage campaign described in a new report by Palo Alto Networks’ Unit 42, targets ministries of foreign affairs, military entities, embassies, and more, in at least seven countries on three continents.
Its goal is to obtain classified and otherwise sensitive information about geopolitical conflicts, diplomatic and economic missions, military operations, political meetings and summits, high-ranking politicians and military personnel, and, most of all, embassies and foreign affairs ministries.
Diplomatic Specter attacks begin by targeting Web servers and Microsoft Exchange servers. The attackers exploit these Internet-facing assets using two critical but 3-year-old vulnerabilities — ProxyLogon, and ProxyShell — and in-memory VBScript implants.
Diplomatic Specter also makes use of some notorious Chinese malware families like PlugX and China Chopper. Most notably, it uses Gh0st RAT, both as a means of cementing its foothold in targeted systems and as an inspiration for Diplomatic Specter’s own custom backdoors.
The point of all this is to reach a high-value target’s email inbox, from which Diplomatic Specter will begin silently exfiltrating sensitive emails and files. Sometimes, the group exfiltrates a victim’s entire inbox.
