Two new cyber-espionage groups targeting ISPs inside Iran

Symantec said it has uncovered two new cyber-spy groups called Cadelle and Chafer which use backdoors to target individuals such as political activists and dissidents.

To do so they have infiltrated the systems of over 100 airlines, telcos and other organisations, mainly in the Middle East, but with one company in the US.

Their main targets are people using ISP and hosting services inside Iran. But the second-highest number of victims is in the US, with Germany sixth, the UK seventh and Holland 12th highest. No details of the individuals targeted in these countries have been released.

Symantec believes both espionage groups are located In Iran, have five to 10 people each, and may be linked. They are known to have been in business since July 2014 but could have been operating as far back as 2011.

Many of their targets use anonymous proxy services to go online, which are popular among political dissidents, activists and researchers in the Middle East.

“We believe that Cadelle and Chafer's victims are most likely to be of interest to an Iranian entity,” Symantec said. “Their victim profile may be of interest to a nation-state.”

The company said both Cadelle and Chafer have successfully exploited custom-built backdoors – dubbed Cadelspy and Remexi – to infiltrate their targets. In one organisation, 60 computers were compromised for almost a year.

“Cadelle and Chafer are aware they don't only have to directly attack the individuals, they can get to their victims by compromising the services they use, such as airlines and telcos.”

Cadelspy's payload enables the attackers to log victims' keystrokes, record audio, capture screenshots and webcam photos and steal any documents sent to be printed. Remexi is a more basic backdoor trojan that gives the attacker remote access to execute its own commands.

Symantec pointed out: “Cadelle and Chafer's activities show that attack groups don't need advanced skills to conduct effective targeted espionage against victims. Their threats have managed to remain on their targets' computers for almost a year, potentially giving the attackers access to an enormous amount of sensitive information.”

Analysing the two attacks, independent cyber-espionage expert Sean Sullivan, a security advisor with F-Secure, said they have the hallmarks of advanced APTs, even though Remexi is described as a standard backdoor.

He told via email: “Just because the tools aren't automated or stealth doesn't mean that the campaign isn't sophisticated. Iran appears to be using complex tactics and is dedicated – and dedication (ie, persistence) is a key factor in determining an APT classification.”

Cadelle and Chafer follow other suspected Iranian cyber-espionage groups such as Rocket Kitten, discovered by Trend Micro in March attacking Israeli and European government and private organisations. Last month, CheckPoint gave details of Rocket Kitten's 1600-plus targets and possible links to the Iranian Revolutionary Guard Corps.

Meanwhile, in December 2014 Cylance uncovered an Iranian cyber-warfare campaign called Operation Cleaver targeting over 50 infrastructure companies – including airlines, energy and telecoms firms – in 16 countries including the US, UK, France and Germany.

Symantec said, “Backdoor.Remexi activity is reminiscent of Operation Cleaver and may possibly be a continuation of that activity.”

Commenting on Cadelle and Chafer, Aatish Pattni, head of threat prevention for northern Europe at Check Point, told SC, “Last month our cyber-investigators released more information about Rocket Kitten and identified potential suspects. The Middle East may not be the only target, and European companies should remain alert. Europe is still seen as a global soft spot due to high-value targets, low protection levels and poor prosecution of foreign attackers.”

Sullivan at F-Secure agreed: “Western companies should be very wary of watering hole attacks and ‘basic' backdoors. Like Apple, Microsoft, Facebook and Twitter in 2013 – and quite likely Sony Pictures Entertainment and Ashley Madison more recently – remote shell access is more than enough for a dedicated hacker to fully compromise a company.

“Companies need to reorganise their networks. I'm not optimistic that they'll do so before they're compromised. People often need to learn the hard way.”

Symantec warned: “Both Cadelle and Chafer are still active today and we don't expect to see them end their activities anytime soon.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.