Inside Operation Diplomatic Specter: Chinese APT Group's Stealthy Tactics Exposed

A Chinese APT group has been targeting governmental entities in the Middle East, Africa, and Asia since late 2022 as part of a cyber espionage campaign named Operation Diplomatic Specter. According to researchers from Palo Alto Networks Unit 42, this group has conducted long-term espionage against at least seven government entities, employing sophisticated email exfiltration techniques. Previously tracked as CL-STA-0043, this activity cluster has now been elevated to a temporary actor group codenamed TGR-STA-0043, which is believed to be aligned with Chinese state interests. The targets of these attacks include diplomatic and economic missions, embassies, military operations, political meetings, ministries, and high-ranking officials. The threat actor uses credential theft and Exchange email exfiltration techniques to infiltrate their targets. The cybersecurity firm noted the use of previously undocumented backdoors such as TunnelSpecter and SweetSpecter, which are variants of the infamous Gh0st RAT, a tool widely used in espionage campaigns by Beijing government hackers. TunnelSpecter gets its name from its use of DNS tunneling for data exfiltration, adding an extra layer of stealth, while SweetSpecter, has been employed by suspected Chinese-speaking threat actors since August 2023.

These sophisticated tools allow the adversary to maintain covert access to target networks, execute arbitrary commands, exfiltrate data, and deploy further malware and tools. The threat actor appears to closely monitor contemporary geopolitical developments, attempting to exfiltrate information on a daily basis. This is achieved through targeted efforts to infiltrate targets' mail servers and search for information of interest, often making repeated attempts to regain access when their activities are detected and disrupted. Initial access is typically achieved by exploiting known Exchange server vulnerabilities such as ProxyLogon and ProxyShell.

Security Officer Comments:
The attackers meticulously search for specific keywords and exfiltrate anything related to them, including entire archived inboxes belonging to particular diplomatic missions or individuals. Files related to the topics they are searching for are also exfiltrated. The Chinese links to Operation Diplomatic Specter are further confirmed by the use of operational infrastructure exclusively used by China-nexus groups like APT27, Mustang Panda, and Winnti, as well as tools like the China Chopper web shell and PlugX. The researchers conclude that the exfiltration techniques observed in Operation Diplomatic Specter provide insight into the strategic objectives of the threat actor behind the attacks. The actor aims to gather highly sensitive information, encompassing details about military operations, diplomatic missions, embassies, and foreign affairs ministries.

Suggested Corrections:
Notably, TGR-STA-0043 continues to leverage known vulnerabilities in internet-facing servers. This underscores the need for heightened vigilance and fortified cybersecurity measures across global governments and organizations. A resilient defense mechanism is not only essential for thwarting evolving cyberthreats but also for preserving the confidentiality, integrity and availability of critical information. Organizations that safeguard sensitive information should pay particular attention to commonly exploited vulnerabilities. They should also adhere to best practices when it comes to IT hygiene, as APTs often seek to gain access through methods they know have been effective in the past. To defend against this threat the following mitigations are recommended:

  • Enable and require multifactor authentication (MFA)
  • Conduct security awareness training against phishing
  • Maintain good password hygiene
  • Properly scope permissions across users and machines
  • Make sure that Exchange Servers are up to date with the latest Microsoft security patches.