Who is BackdoorDiplomacy?
BackdoorDiplomacy is a cyberespionage group linked to China. It has been active since at least 2017.
The group targets high-level government and diplomatic networks. They aim for long-term access. Their main goal is to steal sensitive information for Chinese strategic interests.
Common Tactics and Tools
The group’s main entry point is exploiting bugs on internet-facing servers and network equipment. They often attack unpatched Microsoft Exchange servers and F5 BIG-IP networking devices.
Once inside a network, they use a mix of custom and open-source tools. They move through the network laterally, escalate privileges, and exfiltrate data. A unique tactic is stealing data from removable media like USB drives.
- Turian: The group’s custom backdoor. It is based on the older Quarian backdoor. It lets attackers maintain access, run commands, and manage files on an infected system.
- Open-source tools: The group uses common tools to hide its activity. These include Nbtscan for network scanning and Mimikatz for stealing credentials.
- Removable media collection: BackdoorDiplomacy actively scans for and steals data from connected USB drives.
How to Defend Against BackdoorDiplomacy
Defense requires a secure network and strong data controls.
- Prioritize edge device patching: The best defense is a rigorous patch management program for all internet-facing devices. This includes web servers, VPNs, and appliances.
- Control removable media: Enforce strict policies for USB drives. Use security software to scan or block unauthorized devices.
- Implement network segmentation: Segmenting the network can contain a breach. It stops attackers from moving from a hacked server to more sensitive systems.
- Monitor for credential theft: Use security tools such as Network Detection and Response (NDR) to detect and block credential-stealing tools like Mimikatz. NDRs detect and react to network scanning and exfiltration before it’s too late.
