Chafer: Iranian hacking group expands attacks, spying operations on airline firms in Middle East
One of the tools used by Chafer was the EternalBlue exploit that was previously deployed in the devastating WannaCry and Petya attacks.
An Iranian hacking outfit, which was previously focused on domestic surveillance, is now expanding its scope and cyber arsenal to target entities across the Middle East, security researchers said. According to Symantec, the hacking group , dubbed "Chafer", has begun using several new tools to launch multiple attacks on nine new organisations in 2017.
Symantec first reported on the group's activities in December 2015 when it was found to be spying on domestic and international victims, many of whom were individuals located in Iran.
Believed to have been active since at least July 2014, security researchers say Chafer "appears to have been undeterred by its exposure in 2015 and continued to be very active during 2017".
"Chafer appears to be primarily engaged in surveillance and tracking of individuals, with most of its attacks likely carried out to gather information on targets or facilitate surveillance," Symantec said in a report published on Wednesday, 28 February.
"The group staged a number of ambitious new attacks last year, including the compromise of a major telecom services provider in the region."
Last year, the group hit organisations in Saudi Arabia, the United Arab Emirates, Jordan, Israel and Turkey. The targeted sectors included airlines and aircraft services, telecom providers, payroll services, engineering consultancies and technology firms serving the air and sea transport sectors.
Researchers also found evidence of attacks against an unnamed African airline and attempts to compromise a major international travel reservations firm.
In earlier attacks, Chafer targeted organisations' web servers to deploy malware through SQL-injection attacks. Last year, it added new infection methods and freely available tools to its arsenal, such as malicious documents spread via spear-phishing campaigns, to steal sensitive information.
The tools included the infamous EternalBlue exploit that was previously used in the devastating WannaCry and Petya attacks.
"Chafer's recent activities indicate that the group remains highly active, is continuing to hone its tools and tactics, and has become more audacious in its choice of targets," Symantec said. "Although a regional actor, the group has followed two trends seen globally among targeted attack groups."
By relying on freely available software tools and limiting their use of malware, researchers said Chafer hopes to be "less conspicuous on a victim's network and, if discovered, make their attack more difficult to attribute". The group also seems to be targeting supply chain firms and compromising organisations with the goal of eventually attacking customers.
"These attacks are riskier but come with a potentially higher reward, and, if successful, could give the attackers access to a vast pool of potential targets," researchers added.
Iran-linked cyberattacks
Cybersecurity experts have raised concerns about Iran's increasingly sophisticated cyber capabilities following the Stuxnet computer virus attack in 2011 that ravaged the Natanz uranium enrichment plant in central Iran.
Iranian hackers are widely believed to be behind the destructive disk-wiping malware Shamoon that hit Saudi Aramco and other energy companies in 2012. Iran has previously vehemently denied any involvement in the cyberattacks.
Regarding Chafer, Symantec's security response technical director Vikram Thakur said the information they are pursuing is "more likely to be usable by the government".
"Whether they are working on behalf of the government or they're doing it on their own accord with plans to sell the information to a third party, we have no idea," he told The Hill.