Governments in Kuwait and Saudi Arabia targeted by Iranian Chafer APT

Researchers reveal that campaigns based on “living off the land” tools, conducted by Chafer APT

The campaign targeting air transportation and government in Kuwait and Saudi Arabia reported being conducted by Iranian APT. Hacker group with apparent links to the Iranian government released attacks based on several tools built for hacking and spreading backdoors, data exfiltration.^[1] Researchers revealed that attacks in the Middle East were by the Chafer APT group. These cyber espionage campaigns were directed against critical infrastructures like transportation, telecommunication, and government institutions in Kuwait and Saudi Arabia.^[2]

The Chafer APT or APT39/ Remix Kitten threat actor group launched information-gathering operations on telecommunications, travel industries, and other businesses in the Middle East.^[3] Hackers collect personal information that is needed for serving a particular country's political interests.

According to the research team these attacks were held at least since 2018 and some of them remained undetected for more than a year:

The campaigns were based on several tools, including 'living off the land' tools, which makes attribution difficult, as well as different hacking tools and a custom-built backdoor.

The APT group used various tools for persistence and data exfiltration

These campaigns were analyzed in-depth and showed that operations lasted for more than a year and a half. During this time, the Chafer APT group managed to use various tools to ensure persistence. As for many similar campaigns, the main goal of attackers remains data exploration and exfiltration.^[4] Key findings of the analysis:

• Campaigns aimed towards air transportation and government sectors.
• The activity of hackers happened on weekends.
• Campaigns aiming at the Kuwait government included particular user accounts that attackers created.
• The Saudi Arabia attack was focused on social engineering techniques that allowed to trick victims.
• Botch attacks had the same goal of tracking and stealing valuable information.

Telecommunications or transportation firms or similar industries are attractive for the large amounts of data about customers that can be obtained and misused later on. Hackers can access such information and enable access to a wide range of possible targets across multiple platforms and on a wide range location wise.

APT39 stays aiming towards typical targets

This Iranian group is known for conducting campaigns aimed towards political targets and other sectors where possibly valuable data can get exfiltrated. Threat group uses spear-phishing emails with malicious attachments and other backdoor, hacking tools to gain access to the system. Once that is done hackers can elevate privileges and conduct internal infiltration, ensure persistence in the network.

These targets in Kuwait and Saudi Arabia were not surprising since the Middle East was targeted by this APT39 group before.^[5] A few different features in these attacks revealed that hackers look for different ways to compromise networks. In the campaign against Kuwait hackers created user accounts on machines and performed other actions inside the system like network scanning, stealing credentials.

Mimikatz and CrackMapExec tools got used for these purposes, but Chafer APT relied on other tools too. The attack in Saudi Arabia was based on social engineering that allowed tricking people into installing and running the remote administration tool. This piece of malware was similar to other hacking tools and backdoors that APT39 used in the past, and researchers noted that these attacks are not going to stop in the near feature, it seems:

While these two are the most recent attack examples happening in the Middle East, it is important to understand that this type of attack can happen anywhere in the world, and critical infrastructures like government and air transportation remain very sensitive targets.