Share this article on:
Iranian hackers have been launching cyber attacks on Israeli tech and higher education sectors in an attempt to steal sensitive information, according to a new report.
The attacks began in January 2023 and have been observed as recently as October. According to Palo Alto Networks Unit 42, the threat actors are linked to the Iranian state-backed Agonizing Serpens hacking group, which first made appearances in 2020 and is known for launching fake ransomware attacks and wiping tools on Israeli targets.
“Our investigation revealed the perpetrators of the attacks have strong connections to an Iranian-backed APT group Unit 42 tracks as Agonizing Serpens (aka Agrius, BlackShadow, Pink Sandstorm, DEV-0022),” it said.
Unit 42 also said that the group intends to steal intellectual property, sensitive information and personal details before wiping any evidence of their actions.
“The attacks are characterised by attempts to steal sensitive data, such as personally identifiable information (PII) and intellectual property,” it said.
“Once the attackers stole the information, they deployed various wipers intended to cover the attackers’ tracks and to render the infected endpoints unusable.”
The threat group gained access to victim systems by exploiting vulnerabilities in internet-facing web servers, where they would deploy web shells, which then execute recon commands, allowing the group to map out the network.
Palo Alto has observed this technique being used by the threat actor in many of its attacks.
Once in the victim’s system, the group then obtains admin credentials to execute administrator privileges.
The goal of the breach is to steal data from the victim’s database, with personal data including ID numbers, passport scans, full addresses and emails.
Following the exfiltration of data, the group then covers its tracks using three separate wiper programs. Then, it renders the system unusable by corrupting the boot sector and preventing it from booting up in the future.
Despite the campaign being launched 10 months ago, Palo Alto said that evidence suggests that Agonizing Serpens has “recently upgraded their capabilities” and has been rotating the use of different proof of concept and pen-testing tools to bolster its ability to bypass security measures such as endpoint detection and response (EDR).
For the full technological breakdown of their activities, visit the Palo Alto Networks Unit 42 website.