Monday, January 17, 2022

New Cybersecurity Attacks Target Africa and Middle East Diplomatic Missions

ESET, a global industry-leading IT security software and service provider has uncovered a new malware variant called Turian that is being spread by the Advanced Persistent Threat Group BackdoorDiplomacy that primarily targets Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East. 

The investigation and findings reveal that the BackdoorDiplomacy group is executing a cross-platform attack approach that targets both Windows and Linux systems. The attacks usually start by exploiting vulnerable internet-exposed applications on webservers in order to install a custom backdoor that ESET has christened Turian. Furthermore, the group can detect removable media, most likely USB flash drives, and copy their contents to the main drive’s recycle bin.  

The attacks targeted data collection executables and are designed to look for removable media (most likely USB flash drives). The implant routinely scans for such drives and, upon detecting insertion of removable media, attempts to copy all the files on them to a password-protected archive. It is capable of stealing the system information, taking screenshots, and writing, moving, or deleting files. 

Speaking on the sidelines of the ESET World Conference where the investigation report was tabled, Ken Kimani ESET Channel Manager East Africa said that the “by definition, an advanced persistent threat is an attack by an unauthorized user who gains access to a system or network and remains there for an extended period of time without being detected giving them have continued access to sensitive data that they seek to steal“. He added that the “the group is targeting servers with internet-exposed ports and likely exploiting poorly enforced file-upload security or unpatched vulnerabilities which leave missions and organizations exposed leading to loss of sensitive data”.  

The BackdoorDiplomacy Group shares tactics, techniques, and procedures with other Asia-based groups such as the Gelsemium Cyberespionage Group and Calypso who are all Asia-based groups. The Turian malware represents a next stage evolution of Quarian which was the backdoor attack last observed in use in 2013 against diplomatic targets in Syria and the United States. The Turian’s network encryption protocol is nearly identical to the network encryption protocol used by Whitebird another backdoor attack deployed within diplomatic organizations in Kazakhstan and Kyrgyzstan during the same timeframe as BackdoorDiplomacy (2017-2020).  

The victims of BackdoorDiplomacy have been discovered in the Ministries of Foreign Affairs of several African countries, as well as in Europe, the Middle East, and Asia. Additional targets include telecommunications companies in Africa, and at least one Middle Eastern charity. In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult.  

For more technical details about BackdoorDiplomacy, read the blogpost “BackdoorDiplomacy: Upgrading from Quarian to Turian” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research. 


Leave a Reply

Dickson Otieno
I love reading emails when bored. I am joking. But do send them to

More to read:

Fuel prices remain unchanged between January & February 2022

EPRA has announced that fuel prices in Kenya will remain unchanged between January and 14th February 2022.

Huawei plans to launch 3 products in Kenya in Q1 2022

Huawei is bringing in a phone, a tablet and a smartwatch to the Kenyan market in the first quarter of 2022.

Equity expands to Insurance Sector with launch of ‘Equity Life Assurance’

The insurance sector in Kenya is characterised by low penetration levels, currently estimated at 2.4% attributed to a number of factors

Crypto Trends to expect from Africa in 2022

A significant development on the continent which potentially slipped under the radar was Kenya’s ranking as the world’s leader in P2P trading

Nissan Magnite SUV launched in Kenya

The Nissan Magnite SUV has today been launched for the Kenyan market by Crown Motors Group, the official distributor of the Nissan brand in Kenya.

Safaricom only African Company to be part of Global Compact LEAD 2021

This is the 4th time since 2018 that Safaricom has been included in the prestigious list