Chafer: Hacking group expands espionage operation with new attacks

Hacking group turns to new tactics and tools - including the exploit behind WannaCry - as it expands operations to a wider array of targets with ambitious attacks.
Written by Danny Palmer, Senior Writer

A hacking operation has expanded its operations taking advantage of new tools - including the EternalBlue SMB exploit - to attack organisations across the Middle East for the purposes of surveillance and intelligence gathering.

Targets are mostly working in telecoms and transport and their surrounding supply chains - with IT software, payroll, aircraft services and engineering firms all targets during the last year.

The operations of Chafer, an Iran-based targeted attack group have been detailed by researchers at security company Symantec, who note that since first being exposed in 2015, the group has expanded its surveillance and cyber attack operations.

Several new tools have been added to the Chafer arsenal, including the EternalBlue exploit - the leaked NSA exploit which powered last year's WannaCry and NotPetya outbreaks - allowing the attackers to more easily traverse target networks.

In total, Chafer has deployed seven new tools, which it has used to attack nine new targets in the Middle Eastern region, including organisations in Israel, Jordan, the United Arab Emirates, Saudi Arabia, and Turkey.

Researchers also found evidence that Chafer has carried out attacks against an African airline and attempted to compromise an 'international travel reservations firm' - although attacks on the latter weren't successful.

One of the organisations found to be compromised by Chafer was a 'telecoms services provider in the Middle East' which is said to sell its solutions to multiple operators across the region.

Researchers say that the ultimate goal of this attack could have been to carry out surveillance of end-users, something which could have been achieved at a vast scale of attackers had managed to move just two more steps up the supply chain.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

It's these sort of attacks against large organisations in the region which Symantec point to as evidence of 'heightened ambitions in recent times'.

Previous attacks relied on attacking the web servers of targets - likely through SQL injections - in order to drop malware. Throughout 2017 however, Chafer begun using new tactics to compromise targets, with spear-phishing emails sent to individuals in targeted organisations.

These messages come with an Excel spreadsheet attachment, which when opened, downloads a malicious VBS file which then runs a PoweShell script, eventually leading to a malware dropper being installed on the computer.

Once this is active, additional capabilities to steal information are activated, including the ability to steal the contents of the clipboard, take screenshots, record keystrokes and secretly steal files and user credentials from the machine.

However, this isn't where the attacks end, because in most cases, the attackers use a PowerShell downloader to install more tools to move across the network. These are the new tools embraced by the latest Chafer attacks and many of them are freely available off-the-shelf products which can be exploited for malicious purposes.

See also: Cyberwar: A guide to the frightening future of online conflict

These tools are used in conjuction with SMB hacking tools like the EternalBlue exploit in order to help the attackers spread across networks in order to conduct surveillance and espionage.

Chafter's latest attacks also come with new infrastructure, with a new command-and-control address for aiding with attacks. Symantec uncovered multiple IP addresses used by the attackers, although it's unknown if these have been leased to the attackers or simply hijacked.

In once instance, researchers uncovered what they believe to be a staging server for attacks within the network of one of the targeted organisations, featuring copies of many of the attacking tools.

Symantec say the Chafer hacking group remains 'highly active' and is continue to hone its tools and tactics while also becoming 'more audacious in its choice of targets'.

While researchers note that the vast majority of Chafer operations are restricted to the Middle East, the group is following global trends for attack groups by relying on freely available software in order to carry out attacks - it's a tactic used by many operators.

The group is also following in the footsteps of others by putting effort into supply-chain attacks. While it requires more steps to reach the ultimate target - adding more time and risk of being uncovered - if the campaign is successful, they can reap much bigger rewards by with the ability to bypass the security systems of the targeted organisation.

"Chafer's previous activities indicate that they're interested in tracking targets' movements and communications in order to gather intelligence on their customers. In this case, the group moved one step up the chain to target the customers of their targets' customers, believed to be the ultimate target of the attacks," Dick O'Brien, Threat Researcher at Symantec told ZDNet.

"These kinds of attacks are difficult to perform, but they weren't afraid to try," he added.


Editorial standards