Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Managed Detection & Response (MDR)

Suspected Iranian Group Wages Wiper Attacks on Israel

SentinelOne: Malware Disguised as Ransomware
Suspected Iranian Group Wages Wiper Attacks on Israel
The Agrius attack life cycle (Source: SentinelOne)

A threat group likely operating from Iran has been attacking Israeli targets for more than a year with the wiper variants Apostle and Deadwood, masking the intrusions as ransomware attacks to confuse defenders, according to SentinelOne.

The security firm, which didn't specify which targets in Israel were attacked, says the incidents took place this year and last, with the wiper functionality used in only some of the attacks.

See Also: Malware Analysis Spotlight: Why Your EDR Let Pikabot Jump Through

The threat group, which SentinelOne dubbed Agrius, appears to have links to known Iranian actors, the research report states.

"An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets," says Amitai Ben Sushan Ehrlich, a threat intelligence researcher at SentinelOne. "The operators behind the attacks intentionally masked their activity as ransomware attacks."

Anatomy of an Agrius Attack

The Agrius gang generally uses a VPN service, usually ProtonVPN, to access the target's public-facing applications. Once inside an application, the group deploys a web shell, typically ASPXSpy, or uses the victim's own VPN service to enter the network, Ehrlich says.

"Agrius uses those web shells to tunnel RDP [remote desktop protocol] traffic to leverage compromised accounts to move laterally. During this phase, the attackers use a variety of publicly available offensive security tools for credential harvesting and lateral movement," he says.

The group maintains persistence using a custom backdoor called IPsec Helper, which is written in .NET and is used to remove data or inject additional malware, Ehrlich says.

The researcher says the same developer likely wrote Apostle and the IPsec Helper backdoor. Prior to the attacks on Israeli targets, other attackers, apparently linked to Iran, used Deadwood in other wiper attacks in the Middle East, Ehrlich says.

Iran Links?

SentinelOne's researchers did not discover a direct link to Iran for the series of attacks on Israeli targets. But the Agrius operators uploaded three of the web shell variants to VirusTotal from computers located in Iran, they say. And, for a few attacks launched without using a VPN to obfuscate the source, SentinelOne was able to determine they originated from servers that resolved to Iranian domains, they add.

"Iranian threat actors have a long history of deploying wipers, dating back to 2012 when Iranian hackers deployed the notorious Shamoon malware against Saudi Aramco," Ehrlich says. "Since then, Iranian threat actors have been caught deploying wiper malware in correlation with the regime's interests on several occasions."

Earlier Attacks

Iran has used wiper malware in previous attacks, with the most well-known being the 2012 strike on the oil company Saudi Aramco. The Shamoon malware used in that attack disabled tens of thousands of workstations.

Iran's preference for using this style of attack prompted Christopher Krebs, who was then the director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, to warn U.S. institutions in 2019 that they should shore up their basic cybersecurity defenses (see: DHS: Conflict With Iran Could Spur 'Wiper' Attacks).

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.