Posted on March 2, 2018 at 7:31 AM
Iranian hacking group, Chafer, increases its scope of surveillance throughout the Middle East. They also expand their tools and techniques. Ironically, the group grows despite being surveilled by Symantec.
Chafer picks up steam, despite being watched
A new report from Symantec identifies that the hacking group Chafer is expanding its scope to targets across the Middle East. They previously had been surveilling targets within Iran. They now have shown activities in Israel, Jordan, the UAE, Saudi Arabia and Turkey. This is a concerning trend of growth since the unit was first reported on in 2015. The group is increasing cyber attack efforts, despite being out by Symantec. They show no sign of curbing efforts to gain compromising information on victims. According to Symantec’s most recent February 2018 report, they appear to be mostly surveilling individuals, through attacks at telecommunication companies. They had carried out nine new attacks in 2017 and seemed to be collecting information with the purpose of tracking end-user individuals.
Targets have been industries mainly related to transportation, including airlines and tech firms. The group has begun using free software in an attempt to gather information under the radar. They seem to want to avoid both detection and attribution. Their malware is spread through phishing schemes and SQL-injection. Emails containing an Excel attachment are sent to targeted individuals within an organization. Once this attachment is opened, it downloads files which install a malware dropper. The malware is able to steal contents from the user’s computer, screenshot information, and read keystrokes. Additionally, the malware installs tools that enable it to spread throughout a network, affecting many machines.
More tools for Bigger targets
Chafer is streamlining and improving its hacking techniques and is going after bigger fish. They have rolled out seven new tools for carrying out cyber attacks. Other than surveilling individuals, it is not yet clear what Chafer plans to do with the spoils of their labor. In addition to the nine successful attacks of 2017, Chafer also attempted to compromise a large international travel booking agency and an African airline. These attempts were unsuccessful.
Chafer is also responsible for using the EternalBlue SMB exploit. Originally developed by the NSA, EternalBlue was leaked in August of 2017. A marker of Chafer’s expanding techniques for gaining information is the use of third party software.
Growing, but not unique
Chafer is only one group of many cyber attackers in Iran. Since 2011, experts have been watching the cyber community in Iran as major disruptors and malware exploiters. One example of a cyber attack attributed to Iranian hacking groups is the Shamoon virus. Shamoon aggressively wiped hard drives at Saudi Aramco in 2012. Despite expert consensus, Iran has denied any involvement in such tactics. According to Vikram Chafer, the technical director for Symantec’s security response team, the information gathered from these attacks is more likely to be usable by government players than any other. He admits, though, that he is unaware of what the group actually plans to do with the data.
The increased trend of Iranian hacking is of growing concern to the international community. As groups like Chafer expand their horizons, security must be tightened globally. Since experts are unaware of the final destination for compromised information, it is especially important to subvert these attacks before they take root.