Suspected Iranian Group Wages Wiper Attacks on IsraelSentinelOne: Malware Disguised as Ransomware
A threat group likely operating from Iran has been attacking Israeli targets for more than a year with the wiper variants Apostle and Deadwood, masking the intrusions as ransomware attacks to confuse defenders, according to SentinelOne.
The security firm, which didn't specify which targets in Israel were attacked, says the incidents took place this year and last, with the wiper functionality used in only some of the attacks.
The threat group, which SentinelOne dubbed Agrius, appears to have links to known Iranian actors, the research report states.
"An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets," says Amitai Ben Sushan Ehrlich, a threat intelligence researcher at SentinelOne. "The operators behind the attacks intentionally masked their activity as ransomware attacks."
Anatomy of an Agrius Attack
The Agrius gang generally uses a VPN service, usually ProtonVPN, to access the target's public-facing applications. Once inside an application, the group deploys a web shell, typically ASPXSpy, or uses the victim's own VPN service to enter the network, Ehrlich says.
"Agrius uses those web shells to tunnel RDP [remote desktop protocol] traffic to leverage compromised accounts to move laterally. During this phase, the attackers use a variety of publicly available offensive security tools for credential harvesting and lateral movement," he says.
The group maintains persistence using a custom backdoor called IPsec Helper, which is written in .NET and is used to remove data or inject additional malware, Ehrlich says.
The researcher says the same developer likely wrote Apostle and the IPsec Helper backdoor. Prior to the attacks on Israeli targets, other attackers, apparently linked to Iran, used Deadwood in other wiper attacks in the Middle East, Ehrlich says.
SentinelOne's researchers did not discover a direct link to Iran for the series of attacks on Israeli targets. But the Agrius operators uploaded three of the web shell variants to VirusTotal from computers located in Iran, they say. And, for a few attacks launched without using a VPN to obfuscate the source, SentinelOne was able to determine they originated from servers that resolved to Iranian domains, they add.
"Iranian threat actors have a long history of deploying wipers, dating back to 2012 when Iranian hackers deployed the notorious Shamoon malware against Saudi Aramco," Ehrlich says. "Since then, Iranian threat actors have been caught deploying wiper malware in correlation with the regime's interests on several occasions."
Iran has used wiper malware in previous attacks, with the most well-known being the 2012 strike on the oil company Saudi Aramco. The Shamoon malware used in that attack disabled tens of thousands of workstations.
Iran's preference for using this style of attack prompted Christopher Krebs, who was then the director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, to warn U.S. institutions in 2019 that they should shore up their basic cybersecurity defenses (see: DHS: Conflict With Iran Could Spur 'Wiper' Attacks).