Chafer's Rising Ambitions: New Tools and Tactics in the Cyber Threat Landscape
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: SQL injection,Vulnerability Exploitation,Backdoor,Downloader,Dropper,Keylogger,Spyware,Spear Phishing,Supply Chain Compromise
- Attack Complexity: High
- Threat Risk: High Impact/High Probability
Threat Overview
The Iran-based attack group, Chafer, escalated operations in 2017, striking more organizations within and beyond the Middle East. Utilizing several new tools, they targeted sectors including airlines, telecoms services, and IT services for transport sectors among others. Chafer sought to infiltrate a major telecoms services provider and an international travel reservations firm, likely aiming for widespread surveillance. The group employed malicious documents, SQL injection attacks, and newly adopted open-source tools to compromise targets. These activities indicate a growing threat, especially as Chafer shows a rising trend in attacks on supply chains.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Consulting | Verified |
| Sector | Information Technology Software and IT services companies serving the air and sea transport sectors. Also document management software services. | Verified |
| Sector | Logistics | Verified |
| Sector | Aerospace Airlines and aircraft services. | Medium |
| Sector | Telecommunication Telecoms services. | Verified |
| Region | Israel The countries targeted by the attack were primarily in the Middle East, including Israel, Jordan, the United Arab Emirates, Saudi Arabia, and Turkey. Additionally, there was evidence of attacks against an African airline. | Verified |
| Region | Jordan | Verified |
| Region | Saudi Arabia | Verified |
| Region | Turkey | Verified |
| Region | United Arab Emirates | Verified |
Extracted IOCs
- win7-updates[.]com
- s21.win7-update[.]com
- s224.win7-update[.]com
- s5060.win7-update[.]com
- wsus65432.win7-update[.]com
- 107[.]191.62.45
- 134[.]119.217.84
- 148[.]251.197.113
- 185[.]22.172.40
- 83[.]142.230.113
- 86[.]105.227.224
- 87[.]117.204.113
- 87[.]117.204.115
- 89[.]38.97.112
- 89[.]38.97.115
- 91[.]218.114.204
- 91[.]218.114.225
- 92[.]243.95.203
- 94[.]100.21.213
- hxxp://wsus65432.win7-update[.]com
Tip: 20 related IOCs (14 IP, 5 domain, 1 URL, 0 email, 0 file hash) to this threat have been found.
FAQs
Understanding the Chafer Cyber Threat
Chafer, a cyberattack group from Iran, carried out targeted cyberattacks across multiple sectors, primarily in the Middle East, using new and sophisticated techniques. Their goal was primarily surveillance of individuals by compromising service providers.
The attacks were carried out by Chafer, an Iran-based hacking group active since at least 2014, known for espionage and surveillance activities targeting businesses and individuals in the Middle East and beyond.
Chafer primarily sought to gather intelligence and conduct surveillance by infiltrating organizations higher in the supply chain, thus gaining access to larger groups of potential surveillance targets.
Targets included telecoms, airlines, IT companies, payroll services, engineering firms, and providers of document management software, mainly in the Middle East, with some activity in Africa and beyond.
Attackers initially used phishing emails with malicious Excel documents and web server attacks. They utilized publicly available software to spread within networks and steal sensitive information.
These organizations provide access to extensive networks of end-users, making them attractive as gateways for broad surveillance and espionage activities.
These attacks are targeted but indicate a growing ambition by Chafer to reach more extensive international and regional targets by infiltrating higher-level service providers.
Organizations should improve phishing defenses, maintain updated systems (especially against known vulnerabilities), strengthen supply chain security, and enhance network monitoring capabilities.