Policy

Another well-known hacking group using leaked NSA hacking tools

Most of the tools used by Chafer, including SMB hacking tools like EternalBlue, were stolen from the NSA and are freely available on the public internet.

By Patrick Howell O'Neill

February 28, 2018

(Creative Time Reports / Flickr)

A familiar hacking group is using leaked NSA hacking tools and other cyberweapons in an increasingly active and ambitious strategy against its targets, according to a new report from Symantec.

The group, known as “Chafer,” successfully compromised one of the biggest telecom firms in the Middle East last year in an attack that may have set up surveillance across the region.

Chafer is linked to a group called OilRig, a highly active Iranian hacking group that’s shared command and control infrastructure and infection vectors with Chafer.

The group may have been active as early as 2011. Chafer was first spotted in 2015 targeting mostly telecoms and airlines in the Middle East as well at least one business as the United States.

“We have seen a shift compared to where they were three years ago,” said Symantec Technical Director Vikram Thakur. “They used to attack a majority of targets within the country of Iran. Today, Chafer is 100 percent focused on targets outside Iran. The shift in their mandate could be a result of past success or simply a shift in the driving force behind the group.”

Most of the tools used by Chafer, including SMB hacking tools like EternalBlue, were stolen from the National Security Agency and are freely available on the public internet. When EternalBlue was first leaked last year, experts said it would wreak havoc for years to come. Since then, it’s been used in malware outbreaks like WannaCry and NotPetya, as well as targeted campaigns run by Chafer.

The group also successfully compromised “a telecom services provider in the Middle East, which sells its solutions to multiple telecoms operators in the region,” according to Symantec. The compromise was a supply chain attack likely attempting to facilitate mass surveillance of the company’s clients around the region. Symantec would not identify the victim.

Iran has been at the center of hacking activity in the Middle East for over a decade. The country has been attacked with some of the most advanced cyberweapons ever put to use and while also being one of the most active and effective nation-states in cyberspace.

Another well-known hacking group using leaked NSA hacking tools

More Like This

House passes bill to limit personal data purchases by law enforcement, intelligence agencies

With a mysterious surveillance target identified, calls for Congress to change course

Biden executive order seeks to cut China off from Americans’ sensitive data

Top Stories

Mandiant: Notorious Russian hacking unit linked to breach of Texas water facility

‘Large volume’ of data stolen from UN agency after ransomware attack

More Scoops

Kaspersky reveals ‘elegant’ malware resembling NSA code

‘Greenbug’ hacking group hits three telecom firms in Pakistan

Russian hackers have been mooching off existing OilRig infrastructure

How did a Chinese APT get a U.S. hacking tool before it was leaked? Check Point has a theory.

Yet another hacking group is targeting oil and gas companies, Dragos says

Spies targeting Saudi Arabia switched tactics after Symantec exposed them, report says

What happens when one APT hijacks another’s infrastructure

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics