Iranian hacking group widens reach across MEA: Symantec
Chafer seen to move up the telecoms and transport supply chain to facilitate widescale surveillance of targets
A major telecoms services provider was one of a number of organisations in the region to fall victim to the Iranian-based targeted attack group Chafer, according to Symantec researchers.
The Symantec Security Response team said Chafer also attempted to attack a major international travel reservations firm, as it widened its reach across Middle East and Africa, while deploying several new attack tools.
Chafer appears to be primarily engaged in surveillance and tracking of individuals, with most of its attacks likely carried out to gather information on targets or facilitate surveillance.
Chafer has been active since at least July 2014 and its activities were first exposed by Symantec in December 2015, when it was found to be conducting targeted surveillance of domestic and international targets. At the time, many of its targets were individuals located in Iran, and it had already begun compromising telecom providers as well as airline companies in the Middle East region.
Chafer appears to have been undeterred by its exposure in 2015 and continued to be very active during 2017, using seven new tools, rolling out new infrastructure, and attacking nine new target organisations in the region. The group hit organisations in Jordan, the United Arab Emirates, Saudi Arabia, and Turkey.
Sectors targeted included airlines; aircraft services; software and IT services companies serving the air and sea transport sectors; telecoms services; payroll services; engineering consultancies; and document management software.
Outside of the Middle East, Symantec has also found evidence of attacks against one African airline and attempts to compromise an international travel reservations firm.
Ambitious new targets
The targeted telecoms services provider sells its solutions to multiple telecoms operators in the region. The ultimate goal of the attack may have been to facilitate surveillance of end-user customers of telecoms operators, the researchers believe. By moving two steps up the supply chain the attackers could potentially have carried out surveillance on a vast pool of end-users.
Alongside evidence of compromise of the organisation itself, Symantec also found a copy of one of the company’s own files, relating to its messaging software, on a staging server used by Chafer. The file was in a directory alongside a number of hacking tools used by the attackers.
A second target outside the Middle East provides further confirmation of Chafer’s heightened ambitions in recent times. Symantec found evidence that it had tried to compromise a large international travel reservations firm. There was no indication that the attack was successful, but Chafer did successfully infiltrate an African airline that is a customer of the reservations firm.
How Chafer infects targets
In the earlier attacks from 2015, Symantec found evidence that Chafer had been compromising targeted organisations by attacking their web servers, likely through SQL injection attacks, in order to drop malware onto them. In 2017, the group added a new infection method to its toolkit, using malicious documents which are likely circulated using spear-phishing emails sent to individuals working in targeted organizations.
These documents were Excel spreadsheets. When opened, they downloaded a malicious VBS file that in turn ran a PowerShell script. Several hours later, a dropper would appear on the compromised computer. This would install three files on the computer, an information stealer, a screen capture utility, and an empty executable.
The screen capture utility appeared to be used for initial information gathering, as it was only used briefly at the beginning of each infection and not seen again. The information stealer was capable of stealing the contents of the clipboard, taking screenshots, recording keystrokes and stealing files and user credentials. After this initial activity, the attackers usually downloaded more of their tools to the computer using a PowerShell downloader and began moving across the victim’s network.
Growing threat to organisations in the Middle East
Chafer’s recent activities indicate that the group remains highly active, is continuing to hone its tools and tactics, and has become more audacious in its choice of targets. Although a regional actor, the group has followed two trends seen globally among targeted attack groups. The first is a greater reliance on freely available software tools, also known as “living off the land.” By limiting their use of malware, groups such as Chafer hope to be less conspicuous on a victim’s network and, if discovered, make their attack more difficult to attribute.
The second trend is towards attacks on the supply chain, compromising organisations with the goal of then attacking the customers, or even the customers of the customers, of those organisations. These attacks require more “steps” to reach their ultimate target, which adds additional time and risk for attackers to reach their targets. However these attacks also leverage trusted channels into the eventual target, e.g., through a trusted supplier, allowing attackers to potentially circumvent security systems at the organization they ultimately wish to compromise. These attacks are riskier but come with a potentially higher reward and, if successful, could give the attackers access to a vast pool of potential targets.