Teams of hackers targeting ME airlines, telecoms: Symantec

Two teams of attackers have been using back door threats to conduct targeted surveillance of domestic and international targets, according to new research from Symantec.

While the groups are heavily targeting individuals located in Iran, they’ve also compromised airlines and telecom providers in the Middle East region, possibly in an attempt to monitor targets’ movements and communications, the form said.

The attackers are part of two separate groups that have a shared interest in targets, it said, adding that two groups of hackers, which Symantec calls Cadelle and Chafer, distributed malware “capable of opening a back door and stealing information from victims’ computers”.

Symantec says it identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. “Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people,” it said.

The firm adds that, in terms of targeted organisations, both Cadelle and Chafer seem to be interested in a similar category of organisations, such as airlines and telecom companies. “The affected organisations we were able to identify are mostly based in the Middle East region in countries such as Saudi Arabia and Afghanistan, while one organisation is located in the US,” it said.

The firm maintains that the back door threats that the groups use appear to be custom made. “It’s unclear how Cadelle infects its targets with Backdoor.Cadelspy. However, Chafer has been observed compromising web servers, likely through SQL injection attacks, to drop Backdoor.Remexi onto victims’ computers. Chafer then uses Remexi to gather user names and passwords to help it spread further across the network,” it said.

There is evidence to suggest that the two teams may be connected in some way, though we cannot confirm this, said the firm.

According to Symantec, a number of computers experienced both Cadelspy and Remexi infections within a small time window. The security software firm said that, in one instance, a computer was compromised with Backdoor.Cadelspy just minutes after being infected with Backdoor.Remexi. It notes that the Cadelle and Chafer groups also keep the same working hours and focus on similar targets. However, it observed no sharing of C&C infrastructure between the teams.

“If Cadelle and Chafer are not directly linked, then they may be separately working for a single entity,” it said.