Researchers revealed a destructive campaign against Israeli targets by an Iranian hacking group that on the surface, looked like a ransomware operation. But under the surface, it is likely an elaborate espionage campaign during which attackers maintained access to victims’ networks for months.
SentinelLabs researchers have been tracking this threat actor since December 2020 under the moniker “Agrius.”
“Initially engaged in espionage activity, Agrius deployed a set of destructive wiper attacks against Israeli targets, masquerading the activity as ransomware attacks,” said Amitai Ben Shushan Ehrlich, Threat Intelligence Researcher at SentinelOne.
The group deployed a wiper malware called DEADWOOD (also Detbosit). The malware is often used to destroy data on infected devices. Security experts will recall it from attacks against Saudi Arabian targets in 2019. With time, Agrius operators started to usee a new wiper Apostle. Though malfunctioning initially, this malware has been later developed into fully-featured ransomware.
Researchers observed attackers use such attack vectors, as FortiOS CVE-2018-13379 exploits, SQL injection, and exploitation of various 1-day web app vulnerabilities.
“We believe the implementation of the encryption functionality is there to mask its actual intention: destroying victim data,” the researcher added. “This thesis is supported by an early version of Apostle that the attacker’s internally named ‘wiper-action.’ This early version was deployed in an attempt to wipe data but failed to do so possibly due to a logic flaw in the malware. The flawed execution led to the deployment of the DEADWOOD wiper. This, of course, did not prevent the attackers from asking for a ransom.”
The Iranian hackers have also developed their own .NET malware named “IPsec Helper” that featured basic backdoor capabilities to deliver additional malware and steal data, according to the SentinelOne’s full report.
Besides Agrius, there were other Iranian threat groups that deployed destructive wiper malware against Middle-Eastern targets. State-sponsored actors have often used wipers as a cover-up for other campaigns, including cyber-espionage ones, in the past. For example, APT33 hacking group used the Shamoon wiper against Middle Eastern and European targets.
IBM’s ZeroCleare modified by APT34 and Hive0081 (aka xHunt) was also used against Middle Eastern energy and industrial organizations.
“The usage of ransomware as a disruptive tool is usually hard to prove, as it is difficult to determine a threat actor’s intentions,” the SentinelOne researcher concluded.” Analysis of the Apostle malware provides a rare insight into such attacks, drawing a clear line between what began as a wiper malware to a fully operational ransomware.”