14 DAY TRIAL // Researchers revealed on Tuesday a new espionage effort that has used damaging data-wiping attacks against Israeli companies since at least December 2020. According to The Hacker News, the malicious attack was disguised as ransomware extortion.
SentinelOne, a cybersecurity company, linked the attacks to a nation-state actor associated with Iran and that can be tracked under the alias Agrius.
Security researchers' states "An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets".
"The operators behind the attacks intentionally masked their activity as ransomware attacks, an uncommon behavior for financially motivated groups".
Modus Operandi
The group's method of operation is to distribute a custom.NET malware called Apostle, that evolved into fully functional ransomware, supplanting its former wiper capabilities. At the same time, some operations have exploited a second wiper dubbed DEADWOOD when a logic flaw in prior versions of Apostle prohibited data from being deleted.
Furthermore, the Agrius operators drop a.NET implant known as IPsec Helper, that can be used to exfiltrate data or introduce other malware.
Cybercriminals changed their methods to earn money from cyberattacks
The threat actor's methods have shifted from espionage to demanding ransoms from its victims to regain access to encrypted data, just to have it deleted in a wiping attack.
The Agrius attack cycle, in addition to employing ProtonVPN for anonymization, uses 1-day vulnerabilities in web-based apps, such as CVE-2018-13379, to get an initial foothold and then provide ASPXSpy web shells to sustain remote access to infected systems and execute arbitrary commands.
The report, if anything, adds to evidence that state-sponsored cybercriminals linked to the Iranian regime are increasingly turning to ransomware activities to impersonate other financially motivated cybercriminal ransomware groups.
Security researchers also said that "While being disruptive and effective, ransomware activities provide deniability, allowing states to send a message without taking direct blame".
"Similar strategies have been used with devastating effect by other nation-state sponsored actors".