According to some cybersecurity researchers, they have found an Iranian cyber espionage campaign which is targeting crucial and confidential information in Kuwait and Saudi Arabia

It is to be known that such intelligence-gathering operations are being carried by Chafer APT (some people know it as Remix Kitten or APT39). They are a threat group that attacks travel and telecommunication industries in the Middle East to gather confidential information which is mostly linked to that country’s geopolitical interests.

In one of the reports shared by the researchers, it does seem that the involved victims in the campaign such as air transport and government sector in the Middle East fall under this group’s trap. However, since 2018, some of the attacks went undiscovered for over a year and a half.

The campaigns were focused on many tools like ‘living off the land’ tools that can make attribution difficult, custom-built backdoor, and different hacking tools.

The Chafer APT has also aimed at the Turkish government and foreign diplomatic entities of Iranian to hack and extract critical information. It was reported by FireEye last year that Chafer’s new aim is on telecommunications and travel industries as they store a large amount of personal data of customers. 

APT39 made this possible by launching spear-phishing emails containing malicious attachments that in turn used several backdoor tools to achieve a foothold, eliminate their privileges, establish persistence in the victim environment, and conduct internal reconnaissance.

As per the researchers’ comments, most of the activities of the campaign were carried on Friday and Saturday. Social engineering was used to trick the Saudi Arabian entity into working on a remote administration tool (RAT), similar attacks happened against Kuwait and Turkey. However, it is important to note that such attacks can happen anywhere in the world while critical infrastructure like air transportation and the government are their obvious targets.