Last price

Search

Backdoor: what it is and how to protect against this cyber threat

In the age of advanced digitalisation, cyber threats are becoming increasingly sophisticated. Among these, the backdoor represents one of the most insidious techniques: a “hidden door” left open in a computer system, allowing hackers or malicious software to gain unauthorised access, bypassing normal security controls.

Understanding what a backdoor is, how it works, and how to defend against it is essential for anyone managing digital infrastructure – even more so for companies operating in critical sectors, such as gas distribution.

 

What is a backdoor and why is it dangerous?

A backdoor is a hidden, unauthorised access point to a system, application, or device that allows an attacker to gain entry without going through normal security controls. It may be created intentionally by a developer for maintenance purposes, or installed by malicious actors through a backdoor virus or backdoor malware.

What makes a backdoor particularly dangerous is its stealthy nature: it operates in the shadows, often without triggering alerts in traditional security systems. Those who exploit it can access the system silently and continuously, even after the original attack vector has been removed.

The consequences can be serious and varied:

  • theft of sensitive data and access credentials;
  • malware or ransomware installation;
  • full remote control of the compromised system;
  • disruption of operational services;
  • access to connected critical infrastructure.

 

In the context of companies managing infrastructure networks, such as gas networks, an undetected backdoor could allow an attacker to monitor or manipulate industrial control systems, with potentially significant impacts on service continuity and safety.

 

The different types of backdoor

There is no single form of backdoor: it is rather a broad category encompassing very different techniques, all sharing the objective of ensuring unauthorised and persistent access to a system.

Hardware backdoors are embedded directly into the physical components of a device – such as chips, firmware, or network cards – during the manufacturing phase. They are among the most difficult to detect because they operate at a very low level of the system and are unaffected by software updates. The geopolitical debate surrounding Huawei, for example, led several Western governments to introduce formal restrictions on the use of the company’s components in national 5G networks, citing potential risks related to the presence of hardware backdoors – a case that made supply chain security a priority for governments and regulators worldwide.

Software backdoors are instead integrated into applications or operating systems and may result from a deliberate developer choice or be introduced by malicious actors through code vulnerabilities. In 2015, Juniper Networks discovered a backdoor in its VPN devices: someone had modified the random number generator of the encryption system, allowing anyone aware of the modification to decrypt all protected VPN traffic. The incident demonstrated how even products from trusted companies can be compromised without the vendor’s knowledge.

There are also network protocol backdoors, which exploit flaws in communication protocols to open hidden access channels, and cryptographic backdoors, i.e. weaknesses deliberately introduced into encryption algorithms. The Dual EC DRBG case is one of the most well-known examples: in 2013, the Snowden documents revealed that the NSA had worked to insert a backdoor into this random number generation algorithm, later adopted as a standard by NIST, leaving a lasting mark on the debate over the integrity of global cryptographic infrastructure.

One of the most widespread forms of backdoor malware is delivered via RAT (Remote Access Trojan): malicious software that installs itself on the victim’s system by disguising itself as legitimate programs and opens a communication channel with the attacker’s server, enabling full remote control of the device. Among the most notorious are FinFisher – a commercial tool sold to governments for surveillance purposes – and DarkComet, widely used in cybercriminal and unlawful surveillance campaigns documented worldwide.

 

Backdoor types: characteristics and risk level
Type Installation method Detection difficulty
Hardware Device manufacturing phase Very high
Software Code vulnerability or developer choice Medium
Network protocol Exploitation of protocol flaws High
Cryptographic Introduced into the encryption algorithm Very high
Malware (RAT) Infected file download, phishing Medium / Low

 

How backdoors are installed and exploited by hackers

Understanding how a backdoor is installed is the first step towards building effective defences. Attackers use a combination of different techniques depending on the target and objective.

Many backdoors are installed by exploiting security flaws in unpatched applications, operating systems, or libraries. An unpatched system is an open door for anyone who knows the public vulnerabilities (CVEs) or possesses zero-day exploits. The Equifax breach in 2017 – which exposed the personal data of 147 million people – was made possible precisely by a vulnerability in the Apache Struts framework that went unpatched for months, demonstrating how delays in updates can have enormous consequences. The Lazarus Group, linked to North Korea, has repeatedly used targeted spear phishing campaigns to install backdoors in the systems of financial institutions and technology companies, stealing hundreds of millions of dollars in some cases.

Phishing and social engineering represent another highly effective attack vector: the user is tricked into downloading an apparently innocuous file – an email attachment, a fake software update, a shared document – that actually contains a backdoor virus or a RAT. It is one of the most effective attack vectors because it exploits human error, which is difficult to prevent through technical means alone.

Particularly sophisticated are the so-called supply chain attacks: the attacker does not target the victim directly, but compromises a third-party supplier – a hardware manufacturer, an open-source library developer, or a software vendor – to insert the backdoor into a widely distributed product. The SolarWinds case of 2020 is the most emblematic example: attackers inserted a backdoor into updates for the Orion platform, distributed to over 18,000 organisations including US government agencies and Fortune 500 companies. The backdoor remained active for months without being detected.

Weak or compromised credentials are also a frequent vector. Devices configured with default passwords, reused credentials, or accounts with excessive privileges represent an easy entry point. The Mirai botnet of 2016 is the most striking example: the malware exploited factory credentials of IP cameras, routers, and other IoT devices to infect them and install a backdoor, subsequently using them to launch DDoS attacks that took services such as Twitter, Netflix, and Reddit offline for several hours.

Finally, legitimate remote administration tools such as RDP (Remote Desktop Protocol), SSH, or VPN, if misconfigured or inadequately protected, can be exploited to create persistent access channels that are difficult to distinguish from legitimate traffic. In many ransomware attacks in recent years, the initial vector was precisely an internet-exposed RDP access with weak credentials, used to install a backdoor before initiating data encryption.

 

Who is most at risk and in which contexts

Although any connected system can be targeted by a backdoor, some contexts face significantly greater exposure.

Critical infrastructure – energy grids, water systems, transport infrastructure, and gas networks – are high-value targets for state actors and organised cybercriminal groups. A backdoor in these contexts does not merely aim to steal data, but may seek to compromise the operational continuity of essential services. The attack on the Ukrainian power grid in 2015 and 2016 is the most significant example: the BlackEnergy malware first, and Industroyer later, were used to install backdoors in power plant control systems, causing blackouts that left hundreds of thousands of people without electricity.

Industrial control systems (ICS/SCADA) are particularly vulnerable because they are often designed with operational availability as the primary concern rather than cybersecurity. Difficult updates, proprietary protocols, and very long life cycles amplify the risk, as dramatically demonstrated by the sequence of attacks on the Ukrainian power grid in 2015 and 2016. In the first case, BlackEnergy malware was used to infiltrate the control systems of three electricity distribution companies, disabling substations and leaving approximately 230,000 people in the Ivano-Frankivsk region without power – the first blackout in documented history deliberately caused by a cyberattack. The following year, Industroyer malware – considered by security experts to be the most sophisticated malware ever developed specifically to attack electrical infrastructure – struck the capital Kyiv, causing an outage of approximately one hour. Both attacks were attributed to the Russian group Sandworm by US intelligence and ESET and remain the most studied reference for those working on critical infrastructure security.

Industrial IoT devices – sensors, smart meters, and actuators distributed across the territory – are also a critical vector. Their limited processing capabilities make it difficult to implement advanced security controls, and unpatched firmware, unencrypted communications, and default credentials are common compromise vectors. A particularly significant example is TRITON, also known as TRISIS: the malware discovered in 2017 was designed specifically to attack the Safety Instrumented Systems (SIS) of a petrochemical plant in Saudi Arabia – the systems responsible for preventing physical accidents and securing plants in emergencies. The objective was not to steal data, but to disable the safety mechanisms themselves, with potentially catastrophic consequences for people and the environment. The attack was attributed to the Russian group TEMP.Veles and remains one of the most alarming examples of how backdoors in industrial systems can translate into physical safety risks, not just cyber ones.

More broadly, all organisations with an extended supply chain are exposed to the risk of compromise through third-party suppliers. The SolarWinds case made clear that even organisations with high internal security standards can be targeted through a trusted vendor: every external component is a potential backdoor vector, especially if the validation process is not sufficiently structured.

 

How to identify a possible backdoor

Detecting a backdoor is not straightforward: by definition, it is designed to go unnoticed. However, there are signals that, if properly monitored, may indicate the presence of unauthorised access.

The main indicators to keep under control are:

  • Anomalous network traffic: connections to unknown IP addresses, unusual outbound traffic spikes, or communications on non-standard ports may indicate that a process is communicating with an external command and control (C2) server. In many documented incidents, the backdoor was discovered precisely by analysing traffic: the system was sending small, encrypted packets at regular intervals, almost imperceptible without dedicated monitoring.
  • Unauthorised processes or services running: the most sophisticated backdoors disguise themselves with names similar to those of legitimate processes – for example “svchost32.exe” instead of “svchost.exe” – relying on the inattention of system administrators. The presence of executables in unusual file system locations or services launched automatically without explicit configuration also always warrants thorough investigation.
  • Unauthorised modifications to system files: alterations to network configuration files, automatic startup scripts, or critical files – especially if they do not correspond to documented maintenance activities – must be investigated immediately. File integrity monitoring (FIM) tools allow these changes to be detected in real time.
  • Accounts with unjustified privileges: new users with administrative rights, or access from unusual IP addresses or geographical areas are signals not to be underestimated.
  • Unexplained performance drops: abnormal CPU, memory, or network bandwidth consumption without apparent cause may indicate a malicious background process. In several documented cases, the backdoor was discovered almost by chance, when an administrator investigated an inexplicable server slowdown.

 

How to defend against backdoors

Defending against backdoors requires a layered approach combining technology, processes, and a security culture. No single measure guarantees absolute protection: resilience is built through the overlapping of multiple layers of defence.

Patch management

Keeping operating systems, applications, and firmware up to date closes known vulnerabilities before they can be exploited. Most attacks leading to the installation of a backdoor exploit flaws for which patches are already available. Defining a structured process, with priorities based on the criticality of the vulnerabilities and systems involved, drastically reduces the available attack surface.

Continuous monitoring

Traffic and log monitoring is often the only effective defence against the most sophisticated backdoors, undetectable by traditional antivirus systems. Implementing SIEM (Security Information and Event Management) systems to correlate security events and detect anomalies in real time is now an indispensable practice for any organisation managing critical infrastructure. In these contexts, it is advisable to complement the SIEM with Network Detection and Response (NDR) solutions for analysing internal network traffic.

Network segmentation and least privilege

Network segmentation and the application of the least privilege principle limit the impact of an installed backdoor: even if an attacker manages to compromise a system, segmentation prevents lateral movement towards more sensitive systems. In parallel, adopting multi-factor authentication (MFA) for all privileged access and centrally managing digital identities drastically reduces the risk of credential-based compromise. The Mirai botnet experience showed that millions of devices can be compromised simply through the use of factory default passwords that were never changed.

Vulnerability assessment and penetration testing

Periodically conducting these tests, simulating the behaviour of a real attacker, allows vulnerabilities and potential backdoors to be identified before they are exploited. In critical contexts, it is advisable to carry these out at least once a year or after any significant infrastructure change, involving teams specialised in OT security (Operational Technology) as well as IT.

Supply chain verification

Adopting structured vendor assessment processes, validating the integrity of hardware and software before deployment, and using Software Bill of Materials (SBOM) practices helps to map external dependencies and detect compromised components, even when they come from historically trusted suppliers. The SolarWinds case has made this practice indispensable.

Ongoing staff training

Since many backdoors are installed through social engineering techniques such as phishing, recognising a suspicious email, avoiding downloads from unverified sources, and reporting abnormal behaviour are skills every employee should possess. Regular phishing simulations and structured awareness programmes are among the highest-return investments in cybersecurity.

In a context such as gas distribution, where the digitalisation of networks brings enormous operational benefits but also new attack surfaces, addressing the issue of backdoors is not merely a technical matter: it is a strategic priority to ensure service continuity and the security of critical infrastructure.