A new report from Symantec reveals that Iran-based hacking group Chafer became more active in 2017, mounting further operations and deploying new tools.
Chafer has been active since at least 2014, when it was found to be conducting targeted surveillance of domestic and international subjects. Its activities were first exposed by Symantec in 2015 but this has not stopped the group, which has rolled out new infrastructure, used seven new tools and attacked nine new target organizations in the region in 2017.
One of the organisations targeted by the group last year was a large telecoms provider in the Middle East, and by moving two steps up the supply chain attackers could have carried out surveillance on a huge amount of end users. The report also found evidence of an attempted attack on a large travel firm outside of the Middle East, which suggests the group’s ambitions are growing.
In 2017, the group added a new infection method to its toolkit, using malicious documents that are likely circulated using spear-phishing emails sent to individuals working in targeted organizations. It also added a host of new tools, including SMB hacking tools that were used in the WannaCry and Petya attacks.
Although the group is a regional actor, it is following two regional trends which are the common use of freely available software tools and attacks on the supply chain with the aim of subsequently infiltrating customer networks.
“Chafer’s recent activities indicate that the group remains highly active, is continuing to hone its tools and tactics, and has become more audacious in its choice of targets,” Symantec said.
