Another well-known hacking group using leaked NSA hacking tools

Most of the tools used by Chafer, including SMB hacking tools like EternalBlue, were stolen from the NSA and are freely available on the public internet.
National Security Agency
(Creative Time Reports / Flickr)

A familiar hacking group is using leaked NSA hacking tools and other cyberweapons in an increasingly active and ambitious strategy against its targets, according to a new report from Symantec.

The group, known as “Chafer,” successfully compromised one of the biggest telecom firms in the Middle East last year in an attack that may have set up surveillance across the region.

Chafer is linked to a group called OilRig, a highly active Iranian hacking group that’s shared command and control infrastructure and infection vectors with Chafer.

The group may have been active as early as 2011. Chafer was first spotted in 2015 targeting mostly telecoms and airlines in the Middle East as well at least one business as the United States.


“We have seen a shift compared to where they were three years ago,” said Symantec Technical Director Vikram Thakur. “They used to attack a majority of targets within the country of Iran. Today, Chafer is 100 percent focused on targets outside Iran. The shift in their mandate could be a result of past success or simply a shift in the driving force behind the group.”

Most of the tools used by Chafer, including SMB hacking tools like EternalBlue, were stolen from the National Security Agency and are freely available on the public internet. When EternalBlue was first leaked last year, experts said it would wreak havoc for years to come. Since then, it’s been used in malware outbreaks like WannaCry and NotPetya, as well as targeted campaigns run by Chafer.

The group also successfully compromised “a telecom services provider in the Middle East, which sells its solutions to multiple telecoms operators in the region,” according to Symantec. The compromise was a supply chain attack likely attempting to facilitate mass surveillance of the company’s clients around the region. Symantec would not identify the victim.

Iran has been at the center of hacking activity in the Middle East for over a decade. The country has been attacked with some of the most advanced cyberweapons ever put to use and while also being one of the most active and effective nation-states in cyberspace.

Latest Podcasts