A new advanced persistent threat (APT) group has targeted diplomats in Africa and the Middle East. Revealed on Thursday, the group, which ESET nicknamed BackdoorDiplomacy, carried out attacks against various foreign ministries across Africa and the Middle East.
BackdoorDiplomacy is a cross-platform attack group that focuses on exploiting vulnerable Linux and Windows systems as an initial attack vector. It has been in operation since at least 2017. Also it hit a smaller number of telecommunications firms in Africa and at least one charity outfit in the Middle East.
In one notable case, a remote attacker used an F5 bug, tracked as CVE-2020-5902, to launch a Linux backdoor, while in another one, the attacker used a Microsoft Exchange server bug to install China Chopper, a webshell script.
Once they have gained access to a device, the threat actor will scan it to move laterally across the network and install a custom backdoor. They will then deploy tools to carry out surveillance and data theft.
The Turian backdoor used by the APT is a type of malware similar to Quarian backdoor that was used in 2013 to target US diplomatic facilities in Syria.
Among other tools used by the APT are EarthWorm, Mimikatz, and NetCat. And also EternalBlue, DoublePulsar, and EternalRocks – tools developed by the NSA and dumped by ShadowBrokers.
Researchers warn that it is possible for diplomats to expose sensitive information through removable storage devices. BackdoorDiplomacy can scan for such devices and copy all the files into a secure archive.
While BackdoorDiplomacy is a separate APT, there are other threat groups that appear to have similar goals and objectives. The APT used the same network encryption protocol as Whitebird, and it was able to infiltrate diplomatic facilities in Kazakhstan and Kyrgyzstan. Lastly, ESET believes that there are similarities with the CloudComputating/Platinum use in attacks against diplomatic, government, and military organizations across Asia.