Operation Diplomatic Specter

Description

(Palo Alto) A Chinese advanced persistent threat (APT) group has been conducting an ongoing campaign, which we call Operation Diplomatic Specter. This campaign has been targeting political entities in the Middle East, Africa and Asia since at least late 2022.

An analysis of this threat actor’s activity reveals long-term espionage operations against at least seven governmental entities. The threat actor performed intelligence collection efforts at a large scale, leveraging rare email exfiltration techniques against compromised servers.

Names

Name	Name-Giver
Operation Diplomatic Specter	Palo Alto
CL-STA-0043	Palo Alto
TGR-STA-0043	Palo Alto

Country

• China

Sponsor

State-sponsored

Motivation

• Information theft and espionage

First Seen

2022

Observed Sectors

• Defense
• Education
• Embassies
• Government
• Retail
• Telecommunications

Observed Countries

• USA
• Middle East, Africa and Asia

Tools

• Agent Racoon
• China Chopper
• Gh0st RAT
• HTran
• JuicyPotatoNG
• LadonGo
• Mimikatz
• Mimilite
• nbtscan
• Ntospy
• PlugX
• SharpEfsPotato
• SweetSpecter
• TunnelSpecter
• Yasso

Information

• https://unit42.paloaltonetworks.com/operation-diplomatic-specter/
• https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/
• https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/

Other Information

Uuid

e2b7d21a-cb70-413d-803a-00ce90412300

Last Card Change

2024-06-19