Chafer, a hacking group widely believed to have ties to Iran, has targeted air transport and government agencies in Kuwait and Saudi Arabia with attacks going back to 2018, according to security research firm Bitdefender.
Bitdefender said that the methods used, the history of the group, and the targets suggest that the goal of the attacks was likely “data exploration and exfiltration.”
“The campaigns were based on several tools, including ‘living off the land’ tools, which makes attribution difficult, as well as different hacking tools and a custom built backdoor,” according to a Bitdefender security alert. Living off the land tools are legitimate software applications deployed in victims’ IT systems, which are used by hackers for their own purposes.
Bitdefender analysed system images from several organisations in Kuwait and one in Saudi Arabia, according to Liviu Arsene, a senior security researcher at the security firm. Based on knowledge of prior Chafer APTs (advanced persistent threats) and data collected from “honeypot” systems used to lure hackers, it’s likely that the group targeted additional organisations in this recent campaign, Arsene said.
The targeted organisations consulted with Bitdefender to analyse the attacks. The company has declined to name the target organisations.
Attacks started in 2018
The first traces of the attacks in Kuwait go back almost two years. “The first signs of compromise were several reverse TCP files and PowerShell commands that executed some base64 compressed code, specific to the Metasploit framework,” according to the Bitdefender alert. TCP, or transmission control protocol, is a standard for communication among devices on a network, while the PowerShell is a scripting language for task automation and configuration management.
It’s possible that the attackers used documents tainted with shellcodes, disseminated through spearphishing emails to the victims, Bitdefender said. The shellcodes would have been executed when victims open up the documents.
“Usually the way [these attacks] happen is that the threat actors first gain a foothold in an organization, then they expand on that access and deploy tools to further compromise systems and tools for exfiltration,” Arsene said. “This process can happen over a long time.”
In the Kuwait attacks, after the initial compromise, the attackers deployed network-scanning and credential-gathering software. They then installed custom executable files, including a backdoor (imjpuexa.exe), which would allow them to modify files, steal data and install software. Unusual behaviour under one user account led Bitdefender to believer that the attackers created a user account in order to carry out tasks on the victim’s network.
Activity on weekends avoids detection
Most of the hacking activity occurred on the weekends, to avoid detection. Use of an attacker-created account, for example, could have kicked an active, legitimate user off the target system, alerting network administrators, Arsene said. Bitdefender did not examine network logs and could not confirm that data was stolen, Arsene said.
The attack in Saudi Arabia did not start until January 2019, and was not as elaborate as the attacks in Kuwait, either because the attackers were unable to find exploitable machines on the network after their initial compromise, or because network reconnaissance turned up no data of interest, Bitdefender said. The initial compromise likely occurred when a user or users downloaded RAT (remote access Trojan) malware programs, the security firm reported.
Living off the land tools used by the attackers include NSSM, or non-sucking service manager, a widely used utility for managing various services and processes.
One of the RAT components used in the Saudi attack (snmp.exe) was also installed on victim machines in Saudi Arabia under the name imjpuexa.exe – one reason for concluding that the attacks were launched by the same group. Bitdefender also noted that another file that implements RAT functionality is similar to the Python-based MechaFlounder, used in a 2018 attack against a Turkish government entity and attributed to Chafer by Unit 42, a Palo Alto Networks security service.
Chafer’s activities were first reported by Symantec in 2015, though the hacking group is believed to have been active since at least 2014. Symantec found the hacking group to be conducting surveillance of targets in Iran and abroad, and had started attacking telecom and airline companies in the Middle East, likely as way to obtain information on Iranian individuals.
Chafer activity tied to Iranian interests
There are multiple reasons to link Chafer to various attacks in the Middle East, and to believe it has ties to Iran. The Kuwait and Saudi Arabian attacks analysed by Bitdefender, for example, use a variation of the “Remexi” backdoor tool discovered and attributed to Chafer by Symantec in 2015. Some files used by the group also have been found to have Farsi text strings.
“Security researchers may not be able to confirm a direct link between a state sponsor and an APT, but may see that its activities align with the interests of a nation-state,” Arsene said.
Chafer has been linked to APT3, apparently a separate Iran-affiliated hacking group. Like Chafer, “APT39 likely focuses on personal information to support monitoring, tracking, or surveillance operations that serve Iran’s national priorities, or potentially to create additional accesses and vectors to facilitate future campaigns,” according to Mitre researchers.
The Middle East is fertile ground for cyberespionage, and geopolitical tensions caused by the coronavirus pandemic and oil market turmoil may spark an uptick in hacking activity.
Bitdefender, for example, recently discovered a spearphishing campaign conducted againt oil and gas companies in the Middle East and Asia. It was apparently launched the day the OPEC oil price deal expired at the end of March, Arsene said.