An ArcGIS hack by Flax Typhoon went undetected for 12 months by hiding malware in legitimate extensions. We break down how it happened and how to prevent it.
In this episode of The Backup Wrap-up, we dissect one of the most troubling security incidents of the year: a sophisticated ArcGIS hack that remained hidden for an entire year. The Chinese threat group Flax Typhoon managed to compromise an ArcGIS server, turn a Java Server Object Extension into a functioning web shell, and maintain persistent access—all without triggering traditional security tools.
Here's what makes this attack so concerning: the customer was actually backing up the malware along with their legitimate data. Every backup they took preserved the attacker's backdoor, meaning restoring from backup would have reinfected the system. This is every IT professional's nightmare scenario.
We cover the complete attack chain, from the initial compromise through weak administrator credentials to the deployment of custom malware that signature-based detection couldn't identify. You'll learn why multi-factor authentication would have stopped this attack in its tracks, and why the industry needs to move beyond Indicators of Compromise (IOCs) to behavioral detection.
Curtis shares insights from ReliaQuest's analysis, including how automated response playbooks could have quarantined the server the moment it started running suspicious commands like "whoami" or communicating with command-and-control servers. We also discuss the critical importance of cyber hygiene: regular system audits, extension management, and knowing exactly what's running in your environment.
You'll also get Curtis's latest research on password security, including a shocking comparison that shows a 12-character lowercase-only password takes 27,000 years to crack, compared to just two weeks for a 6-character password with full complexity. Length beats complexity every single time.
Whether you're managing ArcGIS installations, other public-facing applications, or any IT infrastructure, this episode delivers actionable lessons you need to implement today. Don't let your organization become the next 12-month breach statistic.
🔗 Mentioned in this episode:

ReliaQuest's analysis and recommendations
Behavioral detection vs. IOC-based security
Password length vs. complexity research
Flax Typhoon threat group profile
Multi-factor authentication best practices

📚 Curtis's upcoming book: Learning Ransomware Response and Recovery
Subscribe for more episodes on backup, recovery, and cybersecurity!

While you're here, Here's some great episodes from this year:
https://www.youtube.com/watch?v=ZZGn5xlYTec
https://www.youtube.com/watch?v=nHz5hGZy0nY&t=2s
https://www.youtube.com/watch?v=ov834MWoBXg&t=2s

This YouTube channel is also available as an audio podcast!
https://www.backupwrapup.com

We also have a blog that I've been running for over 20 years!
https://www.backupcentral.com

I've also written four O'Reilly books! My latest:
https://www.amazon.com/Modern-Data-Protection-Recoverability-Workloads-ebook/dp/B093TQTBC3