Today, cybersecurity researchers shed light on an Iranian cyber espionage campaign directed against critical infrastructures in Kuwait and Saudi Arabia.
Bitdefender said the intelligence-gathering operations were conducted by Chafer APT (also known as APT39 or Remix Kitten), a threat actor known for its attacks on telecommunication and travel industries in the Middle East to collect personal information that serves the country’s geopolitical interests.
“Victims of the analysed campaigns fit into the pattern preferred by this actor, such as air transport and government sectors in the Middle East,” the researchers said in a report (PDF) shared with The Hacker News, adding at least one of the attacks went undiscovered for more than a year and a half since 2018.
“The campaigns were based on several tools, including ‘living off the land’ tools, which makes attribution difficult, as well as different hacking tools and a custom-built backdoor.”
A FireEye report last year added to growing evidence of Chafer’s focus on telecommunications and travel industries. “Telecommunications firms are attractive targets given that they store large amounts of personal and customer information, provide access to critical infrastructure used for communications, and enable access to a wide range of potential targets across multiple verticals,” the company said.
APT39 compromises its targets via spear-phishing emails with malicious attachments and using a variety of backdoor tools to gain a foothold, elevate their privileges, conduct internal reconnaissance, and establish persistence in the victim environment.
What makes the Kuwait attack more elaborate, according to Bitdefender, is their ability to create a user account on the victims’ machine and perform malicious actions inside the network, including network scanning (CrackMapExec), credential harvesting (Mimikatz), and move laterally inside the networks using a wide arsenal of tools at their disposal.
Most activity occurs on Friday and Saturday, coinciding with the weekend in the Middle East, the researchers said.
The attack against a Saudi Arabian entity, on the other hand, involved the use of social engineering to trick the victim into running a remote administration tool (RAT), with some of its components sharing similarities with those used against Kuwait and Turkey.
images from Hacker News