A recent report by Palo Alto Networks’ Unit 42 has highlighted the alarming espionage activities of a Chinese state-aligned threat group known as Diplomatic Specter. This group has been actively exfiltrating emails and files from high-level government and military targets in the Middle East, Africa, and Southeast Asia since late 2022.
Operation Diplomatic Specter, as it is called, targets ministries of foreign affairs, military entities, embassies, and more in at least seven countries across three continents. The primary goal of this espionage campaign is to obtain classified and sensitive information regarding geopolitical conflicts, diplomatic missions, military operations, political meetings, high-ranking officials, and foreign affairs ministries.
The campaign shows no signs of slowing down, with the attackers persisting in their spying activities even after being exposed and removed from compromised networks. They have demonstrated a willingness to continue their efforts to gather intelligence through various means.
Diplomatic Specter employs a range of tools and tactics to infiltrate and exfiltrate data from targeted networks. The attackers initiate their attacks by exploiting vulnerabilities in web servers and Microsoft Exchange servers, using known vulnerabilities like ProxyLogon and ProxyShell, along with in-memory VBScript implants.
Once inside the network, the threat group deploys a total of 16 malicious tools, including common open-source programs like JuicyPotatoNG and Mimikatz, as well as more unique tools like Yasso, a powerful Chinese pen-testing tool used for various malicious activities. Additionally, Diplomatic Specter utilizes notorious Chinese malware families such as PlugX and China Chopper, along with a custom backdoor inspired by the Gh0st RAT malware.
Two new variants of the Gh0st RAT, named SweetSpecter and TunnelSpecter, are also utilized by Diplomatic Specter for command-and-control communications, victim machine fingerprinting, and arbitrary command execution. These tools enable the threat group to exfiltrate sensitive emails and files from high-value targets, sometimes targeting entire inboxes or specific information based on keyword searches.
To defend against such sophisticated attacks, experts recommend a layered defense approach. This includes patching and securing internet-facing assets to prevent initial access, followed by implementing robust cybersecurity measures such as network monitoring, detection and response capabilities, and secure cloud email solutions.
Assaf Dahan, director of Cortex threat research at Palo Alto Networks, emphasizes the importance of good cyber hygiene and the need for multiple layers of security to mitigate the risks posed by threat actors like Diplomatic Specter. By creating barriers and making it harder for malicious actors to infiltrate networks, organizations can better protect themselves against sophisticated espionage campaigns like Operation Diplomatic Specter.