When Your Backups Preserve the Attack: Lessons from a Year-Long Hack

An ArcGIS hack that went undetected for 12 months should be a wake-up call for every IT professional managing infrastructure today. The attack by Chinese threat group Flax Typhoon didn’t just compromise a customer’s environment—it turned their backup strategy into a malware preservation system. Every time they backed up their ArcGIS server, they were saving the attacker’s backdoor for safekeeping.

This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/

Let me walk you through what happened and why this matters for your security posture right now.

How the ArcGIS Hack Unfolded: A Timeline of Failure

Flax Typhoon gained initial access through compromised administrator credentials. No sophisticated zero-day exploit. No advanced social engineering. Just weak password security and the complete absence of multi-factor authentication on a critical system.

Once inside, they deployed a malicious Java Server Object Extension (SOE)—a type of plugin that’s completely normal within the ArcGIS ecosystem. They turned this extension into a functioning web shell capable of executing arbitrary commands. Then they did something almost comical: they put a password on their backdoor to make sure only they could use it.

The attackers spent 12 months exploring the customer’s environment, attempting to compromise workstations to steal additional credentials, and maintaining persistent access. The customer’s ArcGIS deployment used a public-facing server that proxied requests to an internal instance, which gave Flax Typhoon a pathway into the internal network.

When the security firm ReliaQuest finally investigated the incident, they discovered something alarming: the customer couldn’t identify which extensions were legitimate and which weren’t. They had no system inventory, no baseline of normal behavior, and no clear understanding of what should be running on their servers.

Why Traditional Security Failed Against This ArcGIS Hack

The reason this ArcGIS hack succeeded for so long comes down to one fundamental flaw: the customer relied entirely on signature-based detection. Their security tools were hunting for known Indicators of Compromise (IOCs)—specific file hashes, known malware signatures, and documented attack patterns.

Flax Typhoon wrote custom code. There were no signatures to match. No known file hashes. No documented patterns. The malware looked exactly like a legitimate ArcGIS extension because it was an ArcGIS extension—just one that had been weaponized.

The attack involved creating services, checking if they failed, restarting them, and running reconnaissance commands like “whoami.” These are behaviors that should raise red flags, but they were never flagged because the tools weren’t looking for anomalous behavior—only known bad signatures.

Think about your own environment. Are you relying on antivirus and endpoint detection that only catches known threats? If attackers write code specifically for your environment, will your tools even notice?

Behavioral Detection: The Only Defense Against Custom Attacks

The solution to this type of ArcGIS hack isn’t better signature databases. It’s a complete shift to behavioral detection and automated response.

ReliaQuest outlined what modern security should look like. When an application starts running commands like “whoami”—which no legitimate ArcGIS extension should ever need—the system should immediately quarantine that server. When an application starts communicating with known command-and-control infrastructure, those connections should be blocked automatically.

This requires understanding what normal looks like. Machine learning and AI can be incredibly helpful here, establishing baselines of typical application behavior and alerting when something deviates from the pattern. When ArcGIS suddenly starts probing workstations or establishing unusual network connections, that’s the moment to investigate—not 12 months later.

Password Security: Length Beats Complexity Every Time

One of the most eye-opening parts of analyzing this ArcGIS hack is understanding how preventable it was. The attackers got in through weak credentials. If the customer had implemented proper password security and multi-factor authentication, this entire incident never happens.

Here’s data that might surprise you. A 6-character password using uppercase, lowercase, numbers, and symbols—maximum complexity—can be cracked in about two weeks. A 12-character password using only lowercase letters takes 27,000 years to crack.

Length matters more than complexity. A passphrase like “prasannaisawesome” (18 characters) is exponentially more secure than a complex 8-character password, and it’s easier to remember.

But here’s the real answer: stop relying on passwords alone. Multi-factor authentication would have stopped this attack completely. If the attackers had stolen or guessed the password but couldn’t provide the second factor, they never get through the door.

Cyber Hygiene: The Unglamorous Work That Saves You

The other major lesson from this ArcGIS hack is about basic cyber hygiene—the boring, unglamorous work that IT teams often skip.

You need to know what’s running in your environment. When ReliaQuest investigated, they had to manually determine which extensions were legitimate because the customer had no documentation. That’s unacceptable. You should be conducting regular system audits, maintaining an up-to-date inventory of all software and extensions, and removing anything that’s not actively being used.

Patch management matters. Keep your systems updated. Remove old extensions that were installed once, tested briefly, and then abandoned but never uninstalled. Those forgotten plugins are attack vectors waiting to be exploited.

Review access controls regularly. Who has administrative privileges? Do they still need them? Are there accounts that haven’t been used in months but still have elevated permissions? Clean that up.

This isn’t exciting work. It won’t get you promoted. But it will prevent the kind of disaster where attackers camp out in your environment for a full year.

What You Should Do Tomorrow Morning

If you’re managing ArcGIS or any other infrastructure, here’s your action plan:

First, turn on multi-factor authentication for every administrative account. No exceptions. If your application doesn’t support MFA, start planning to replace it.

Second, audit your systems. What extensions are installed? Which ones are actually being used? Remove everything that’s not actively needed.

Third, evaluate your detection capabilities. Are you only hunting for known signatures, or can you detect anomalous behavior? If it’s the former, you’re vulnerable to the same type of attack.

Fourth, implement automated response playbooks. When suspicious activity is detected, the system should be able to quarantine servers, block network connections, and alert your security team—without waiting for manual intervention.

Fifth, use long passwords or passphrases. If you can, transition to passwordless authentication using passkeys. But at minimum, make sure passwords are at least 12 characters long.

The ArcGIS hack by Flax Typhoon is a blueprint for how attackers are operating today. They’re writing custom code that signature-based tools can’t catch. They’re exploiting weak credentials and the absence of MFA. They’re hiding in plain sight by weaponizing legitimate software. And they’re patient enough to maintain access for a year or more while they explore your environment.

Don’t let your organization become the next case study.

Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data