A study by Unit 42, Palo Alto Networks' cybersecurity research unit, has found that one of the most dangerous Iranian hacking groups recently upgraded its capabilities and coded new malware that could pose a threat to companies and organizations in Israel.
The study identified several malicious malware wipers designed for ransom or data-wiping attacks, which could cause significant harm. These viruses are complex and dangerous, potentially causing significant trouble for those affected by them.
The group behind the malware is known as Agrius, a pro-Iranian hacking group sometimes referred to as Agonizing Serpens. It's unclear whether it operates under the direction of the Iranian intelligence directorate or belongs to another country that’s assisting Iran, but it’s undoubtedly a capable group.
Agrius is suspected of being the perpetrator behind a breach into the computer system of an Israeli insurance company, in which the personal data of thousands of government employees, including those linked to security officials, were stolen.
The group is also responsible for a security breach in Bar-Ilan University's computer systems. According to estimates, hackers exploited the breach to attempt to steal research and intellectual property related to various studies conducted in the institute.
Traces that could lead back to the attackers are hidden via the use of a wiper program that destroys endpoints (computers used to connect to the university's internal network). Some are now concerned that this group’s enhanced capabilities can bypass cyber defenses that have already been implemented in response to previous breaches.
The Iranian cyberwarfare activity is carried out with the assistance of external aid, but not exclusively. While in the past, most of Iran's advanced cyber capabilities arrived from countries like Russia, Belarus, China, or North Korea, estimates today say Tehran now possesses its own advanced local cyber capabilities.
While Iranians were once referred to as "useful idiots" used in the service of Russian and Russian-speaking cyber entities according to a U.S. cybersecurity expert, they’re now capable of developing a significant portion of their own cyber tools used in attacks against Israel.
According to suspicions, the Agrius group has been operating more aggressively against Israel since the outset of the war against Hamas. The group, which has been active since 2020, uses tactics aimed at confusing its victims. While they attempt to disguise the breach as ransomware attacks, meaning the motivation behind them is financial, they exploit the negotiation period in order to steal data and wipe the computers to cover their tracks.
After the operation concludes, the important data, such as technological or research information, is passed on, while personal information and identifying data are publicly disclosed on social networks, mainly on Telegram and X (formerly Twitter), to maximize possible fallout and damage.
"Their motivation to publish on social media is to sow fear or inflict reputational damage," Palo Alto’s study wrote. Moreover, researchers found the group focuses only on Israeli targets and doesn’t operate against others.
The hackers target industrial, technological, and educational sectors. According to Palo Alto's estimates, these new capabilities allow malware and wiper programs to bypass traditional cyber defense tools. Currently, the company has released indicators that allow businesses and organizations to update their defense software and hardware with these new threats in order to combat them.
First published: 22:40, 11.06.23