Symantec Revealed That Hackers Monitoring Activists And Dissidents In Iran

Symantec revealed that Iran-based hackers used malware in monitoring people inside the country, including potential activists and dissidents. The research showed that the attacks were not sophisticated but it provided hackers access to the computers of their targets for over a year. The hackers may have obtained a huge amount of sensitive information.

The malware was distributed by two hacker groups, Cadelle and Chafer. The malware stole information from servers and PCs, including information from telephone companies and airlines within the region. While the two groups may have operated since the middle of 2014, registration details of the servers showed they may have started in 2011.

Cadelle used a malware called backdoor.cadellespy while Chafer used backdoor.remexi. It remains uncertain how the malware was distributed by Cadelle while SQL injection attacks were used by Chafer in compromising web servers. These types of attacks allow hackers to enter commands into web-based forms to get some response from a back-end database.

Symantec Revealed That Hackers Monitoring Activists And Dissidents In Iran - image credit: wiki.smu.edu.sg

Symantec said each hacker group may have 5 to 10 people. While the two groups are not using the same attack infrastructure, they are attacking the same targets within Iran and are working at around the same time. The Solar Hijri calendar format may have been used in some dates as shown by the file strings of Cadelspy.

Infections on some computers show that they happened nearly at the same time. Symantec indicated that one computer with a Remexi and Cadelspy infection was a system running SIM card editing applications while other computers were used by web developers or were used as database servers. Some targets were individuals using anonymous proxies or services attempting to avoid blocks on specific websites.

These services are utilized by many Iranians who want to access websites blocked by the internet censorship of the government. Symantec added that these proxies may have been used by researchers, dissidents and activists to allow them to maintain the privacy of their internet activities.

Posted by George Daniels on Tuesday December 08 2015, 11:38 AM EST. All trademarks acknowledged. Filed under Technology. Comments and Trackbacks closed. Follow responses: RSS 2.0