An Iranian cyber espionage campaign against the government in Kuwait and Saudi Arabia was spotted by cyber security researchers at Bitdefender.
The intelligence-gathering operations were conducted by Chafer APT (also known as APT39 or Remix Kitten), a threat actor famous for attacking the telecommunication and travel industries in the Middle East to collect personal information that serves the country’s geopolitical interests.
The researcher stated that the victims of the campaigns matches with the pattern preferred by this actor, such as air transport and government sectors in the Middle East. One such attack was left undiscovered for more than a year and a half since 2018.
The campaigns were based on tools such as ‘living off the land’ tools, that makes attribution difficult, as well as different hacking tools and a custom-built backdoor.
The Chafer APT which was active since 2014, has earlier targeted taken the Turkish government organizations and foreign diplomatic entities based in Iran with the sim of collecting sensitive data.
Telecommunication industry is an attractive target due to the huge amount of personal and customer information, access to critical infrastructure used for communications, and access to a wide range of potential targets across multiple verticals.
APT39 hacks their victims by spear-phishing emails with malicious attachments and using a variety of backdoor tools to gain a foothold, elevate their privileges, conduct internal reconnaissance, and establish persistence in the victim environment.
According to the researchers, Kuwait attack is more complicated due to the ability to create a user account on the victims’ machine and perform malicious actions inside the network, including network scanning (CrackMapExec), credential harvesting (Mimikatz), and move laterally inside the networks using variety of tools.
The attack against a Saudi Arabian entity used social engineering to fool the victim into running a remote administration tool (RAT), and it had some of the components having same similarities like those used against Kuwait and Turkey.
Even though this attack was not as huge as the Kuwait attack, the evidence shows that it is the work of the same attackers. Only evidence for network discovery was available and there wasn’t any sign of lateral movement.
The attacks against Kuwait and Saudi Arabia shows that Iran’s cyber espionage efforts are still continuing. These two types of attacks happening in the Middle East can occur anywhere in the world and critical infrastructures like government and air transportation always remain sensitive targets.