The Iranian regime has long used cyber warfare as a critical component of its soft-target approach, but has begun to deploy an especially threatening new actor as it targets its number one foe, Israel.
According to a recent report by cybersecurity and intelligence firm SentinelLabs, a new Iran-linked hacker group named Agrius has been targeting Israel since the beginning of this year.
While it focused at first on espionage activity, security experts detected that the infiltrators also initiated a series of “wiper” attacks against Israel targets – masquerading as ransomware attacks but designed to destroy important data.
“What is different now is that Iran is trying to hide the true goal of its cyberattacks – destroying data – behind the mask of ransomware,” explained Karim Hijazi, CEO of Prevailion, a Houston-based cyber intelligence company.
By disguising the attack, Hijazi said, Iran can confuse its victims, making them think they are dealing with a financially motivated cyberattack that can be negotiated. In reality, the hackers are trying to cause as much damage as they can.
“Victims will lose valuable time because of this, as they will be focused on restoring data from their backups instead of preventing the attacker from causing more damage,” he added.
“This technique can also make it harder to attribute the attack, as it takes on the appearance of a criminal group, as opposed to a nation-state.”
According to the SentinelLabs report, the attacks were executed using a backdoor called “IPSEC Helper” and a unique wiper termed “Apostle.”
“The message inside it suggests it was used to target a critical, nation-owned facility in the United Arab Emirates,” it said. “The similarity to its wiper version, as well as the nature of the target in the context of regional disputes, leads us to believe that the operators behind it are utilizing ransomware for its disruptive capabilities.”
Hiding behind a virtual private network (VPN), Agrius inserts its custom malware to both extract data and embed more malware.
While it is difficult to assess the damage thus far – Israel has not released such information publicly – Hijazi said wiper malware causes incredible damage as the victims lose all of the data exfiltrated by the malware.
“Imagine if Colonial Pipeline had been hit with a wiper attack instead of ransomware? That could have led to weeks – or even months – of supply disruptions,” he said.
“Wiper malware can kill off companies and cripple government agencies and critical infrastructure. It is a real menace. These attacks are far outside the scope of traditional state vs. state cyber rivalries. Make no mistake: Iran’s operations are an act of digital war against Israel.”
The latest threat recognition comes on the heels of a flurry of cyber attacks linked to Tehran against its number one adversary. Early last month, media reported on assaults on targets including H&M and logistics company Veritas, with data stolen in a way that appeared to impersonate Russian attacks.
Some analysts have indicated that the cyber campaign was less about theft and extortion than about humiliating and discouraging companies in Israel, which prides itself on having some of the most state-of-the-art cyber defense mechanisms in the world.
The Iran-Israel virtual war hit a high in April 2020 when Iran launched attacks on water and sewage treatment facilities in Israel.
Targeting the US too?
Heather Heldman, managing partner and principal of Washington-based geopolitics advisory firm Luminae Group, cautioned that the Biden administration’s resumed negotiations over the Iran nuclear deal will not be enough to stop the regime from targeting the U.S. government or private sector entities directly.
“There are strong domestic political incentives for the Iranian regime to do this,” she said. “Israel’s infrastructure is significantly more hardened than American infrastructure – we have a lot of vulnerabilities as the recent pipeline attack highlighted, and arguably, American targets could be a lot easier to hit than Israeli ones. This reality should be lost on no one.”
Moreover, if Iran’s apparent use of “sabotageware” goes relatively unchecked, Hijazi said, that could embolden other adversaries to follow suit.
“Sabotageware is any malware that is designed to destroy data or devices, rather than to steal information or hold them for ransom,” he explained. “The Iran-Israel cyberwar may prove to be a testing ground for these types of attacks, which Iran could then use against other nations in Europe or the U.S. later on.”
“Furthermore, if Iran is successful with these attacks, other countries will take notice – particularly North Korea and Russia, but even potentially China as well.”
Inflamed by the recent conflict between Israel and the Iran-backed terrorist group Hamas, experts anticipate that Tehran’s escalation in cyber hostilities is unlikely to wane anytime soon.
“Digital attacks are not likely to lead to a full-blown military conflict, [but] they are also cheap and relatively low-risk for Iran to carry out,” said Hijazi. “Iran is the world’s most aggressive and reckless actor in cyberspace, as it lacks the typical restraint we see from other Western adversaries like Russia, China and North Korea.”
“Destructive cyberattacks are the perfect asymmetric warfare strategy for a country like Iran, which lacks the military power or financial resources to confront Israel or the United States directly.”
Source » iranbriefing