Iranian Hacking Group is Expanding Operations in Middle East

An Iran-based hacking group that in the past has conducted domestic surveillance is turning its gaze outward across the Middle East, according to a new report from Symantec, CNBC reports.

The cybersecurity firm said last year, the group attacked organizations in Israel, Jordan, Saudi Arabia, Turkey and the United Arab Emirates. Some of the sectors the group, known as Chafer, has targeted include airlines, aircraft services, telecom firms, and technology companies serving the air and sea transport sectors.

According to Symantec, the hacking group, dubbed “Chafer” has begun using several new tools to launch multiple attacks on nine new organizations in 2017. Symantec first reported on the group’s activities in December 2015 when it was found to be spying on domestic and international victims, many of whom were individuals located in Iran. Believed to have been active since at least July 2014, security researchers say Chafer “appears to have been undeterred by its exposure in 2015 and continued to be very active during 2017”.

“Chafer appears to be primarily engaged in surveillance and tracking of individuals, with most of its attacks likely carried out to gather information on targets or facilitate surveillance. The group staged a number of ambitious new attacks last year, including the compromise of a major telecoms services provider in the region. There is also evidence that it attempted to attack a major international travel reservations firm,” the report added, pointing to the group’s “heightened ambitions.”

Symantec said it also found evidence of attacks against an African airline.

Chafer, according to the report, appears to be primarily engaged in surveillance and tracking of individuals and most of its attack is likely carried out to gather information on targets. Symantec previously wrote about the group’s activities in a 2015 blog post, where the firm said it mostly spied on individuals within Iran. But, the report added, the group was already targeting telecom and airline companies in the region.

In earlier attacks, Chafer targeted organizations’ web servers to deploy malware through SQL-injection attacks. Last year, it added new infection methods and freely available tools to its arsenal, such as malicious documents spread via spear-phishing campaigns, to steal sensitive information. The tools included the infamous EternalBlue exploit that was previously used in the devastating WannaCry and Petya attacks.Last year, Chafer employed new, mostly free tools to carry out its attacks.

“Chafer’s recent activities indicate that the group remains highly active, is continuing to hone its tools and tactics, and has become more audacious in its choice of targets. Although a regional actor, the group has followed two trends seen globally among targeted attack groups,” Symantec said.

By relying on freely available software tools and limiting their use of malware, researchers said Chafer hopes to be “less conspicuous on a victim’s network and, if discovered, make their attack more difficult to attribute”. The group also seems to be targeting supply chain firms and compromising organizations with the goal of eventually attacking customers.

“These attacks are riskier but come with a potentially higher reward, and, if successful, could give the attackers access to a vast pool of potential targets,” researchers added.

In recent years, cybersecurity experts have pointed to the growing sophistication of Iran’s cyber-espionage capabilities, following a 2011 cyber attack that destroyed computer-controlled equipment at the country’s Natanz uranium enrichment facility. U.S. intelligence officials previously said that hackers believed to be linked to the Iranian government attacked Saudi state oil giant Aramco in 2012, successfully wiping thousands of computers and paralyzing operations.

Chafer is now using malicious Excel documents circulated through spear phishing emails. The documents install three files on the computer: an information stealer, a screen capture utility and an empty executable. They’re also using new tools to compromise networks. Chafer’s recent activities indicate a greater reliance on new, freely available software tools, including Remcom, Non-sucking Service Manager, a custom screenshot and clipboard capture tool, SMB hacking tools, GNU HTTPTunnel, UltraVNC, and NBTScan. Chafer is trending toward attacks on the supply chain, compromising organizations through trusted channels with the goal of then attacking their customers.

Regarding Chafer, Symantec’s security response technical director Vikram Thakur said the information they are pursuing is “more likely to be usable by the government”.

“Whether they are working on behalf of the government or they’re doing it on their own accord with plans to sell the information to a third party, we have no idea,” he told The Hill.

Security experts have further traced a number of subsequent attacks back to Iran, including hacks on Saudi, American and South Korean companies. Iran has not commented on those accusations. In February, Saudi Foreign Minister Adel Al-Jubeir told CNBC that Iran was “the most dangerous nation” for cyber threats.

“Iran is the only country that has attacked us repeatedly and tried to attack us repeatedly. In fact, they tried to do it on a virtually weekly basis,” Al-Jubeir said.

He added that Saudi Arabia is taking “all the steps necessary” to defend itself and training its people to “be able to engage in offensive operations to make it hopefully impossible for people to penetrate those systems.” The Iranian government has previously denied accusations of cyber-aggression. It did not respond last month to a request for a response to Al-Jubeir’s comments.