Iran Taps Chafer APT Group amid Civil Aviation Crisis

Iran’s Chafer hacking group is targeting aviation repair and maintenance firms in an apparent effort to obtain information needed to shore up the safety of that country’s fleet of domestic aircraft, according to research by the firm Symantec.

When an Aseman Airlines flight crashed in bad weather in a mountainous region of southern Iran on February 18, it was just the latest in a long list of civil aviation incidents in the country, which has an aging fleet and a shortage of replacement parts after years of Western sanctions.

Iran’s Chafer hacking group is targeting civil aviation firms, in an apparent effort to shore up the safety of commercial aircraft in the country, Symantec reported.

Now that many of those sanctions have lifted, Iran is rushing to replace those aging airplanes with new equipment purchased from firms like Boeing and Airbus. But behind the scenes: the country is using other means to turbo-charge its efforts to service and maintain its existing fleet. Namely: targeted hacking operations aimed at a range of repair and servicing firms worldwide.

APT attacks- with safety in mind

That’s the contention of researchers at the firm Symantec, who reported on Wednesday that a hacking group dubbed “Chafer”  that is believed to work on behalf of the government of Iran, is targeting aviation firms as part of what researchers think may be an effort to shore up the safety of civil aviation in that country.

Chafer APT infographic
Symantec researchers observed a spike in campaigns in countries neighboring Iran. (Image courtesy of Symantec.)

Symantec said that it had witnessed the group, which was first noted in 2015, changing both its tools and tactics and attacking nine organizations in Israel, Jordan, the United Arab Emirates, Saudi Arabia, and Turkey. Many of those firms were in the aviation industry including airlines; aircraft services; software and IT services companies serving the air and sea transport sectors; telecoms services and maintenance and repair organizations, Symantec said.

“When we see this activity or targeting to obtain information from the industry we can say with high confidence that Chafer is trying to gather information related to airlines – probably maintenance and repair – and maybe even trying to advise civilian aviation within the country, which is information that would primarily be used by the public sector within (Iran),” Vikram Thakur, Technical Director at Symantec, told The Security Ledger.

A change in focus since 2015

The goal is likely domestic rather than military. Iran could use the stolen information to improve the reliability of its domestic aircraft. As opposed to targeted espionage hacks aimed at stealing aircraft designs and manufacturing know-how, the Chafer campaigns may simply be a way of Iran obtaining valuable information at a very reasonable rate.

“This seems like an effective way of gathering the information that (Iran) needs to acquire. A few months campaign with a nominal amount of money paid to the hacker group can show a high probability of being able to gather the required information – and maybe with less bias, also,” Thakur said.

Chafer’s activities also stretched outside of the Middle East. Symantec reported that it found evidence of attacks against one African airline and attempts to compromise an international travel reservations firm. In most cases, the Chafer group did not seem interested in targeting government organizations – unless those also happened to be linked to its desired target of aviation-related firms.

Iran’s struggles to secure its civil aviation are well known. The country has seen 10 commercial air disasters in the last 10 years, killing 445 people. Two of the 10 least safe airlines in the world are based in the country.

The Chafer hacking group historically has been more inwardly focused. Symantec first documented the group in 2015, when it was targeting individuals and organizations using so-called “Trojan horse” programs. Airlines and telecommunications were targeted at that time, as well. However, the goal then was apparently to monitor the communications and movements of dissidents and activists within and outside of Iran, who communicate using proxy services to evade government censorship.

The latest attacks push further back in the aviation supply chain and don’t appear to be motivated by domestic security or geopolitical concerns, Thakur said. In at least one case, Symantec saw a telecommunication provider that provide broadband services to the airline industry in a particular country being targeted.

“Targeting the telecom increases the likelihood of you getting the information you’re looking for,” Thakur said.

[You might also like to read: “The Dutch were spying on Cozy Bear Hackers as they targeted Democrats” ]

The group has also changed up their approach to hacking: switching from drive by download attacks from compromised web sites to spear phishing email attacks and infected documents like Excel spreadsheets, as well as so-called “fileless malware” techniques that rely on common administrative and open source tools to maintain a foothold on compromised networks.

“Since 2017, we’ve seen Chakur rely around 90% on using open source projects for their tooling,” Thakur said.

The open source tools make attribution of the attack difficult. It also helps attackers “fly under the radar” at large organizations, where such tools may be used for legitimate work, Thakur said.