Iran - Israel Cyber Attacks

A growing summery of Cyber Operations perpetrated by Iran against Israel.

• 2017 April. 19 - 24

  The Iranian APT group OilRig (aka APT34) targeted around 250 individuals in various sectors like government, high-tech, healthcare, education, and more.
  The attack was delivered using word documents exploiting CVE-2017-0199, through compromised email accounts from the Ben-Gurion University.

• 2018 May

  A suspected Iranian threat actor named ViceLeaker (Linked to Cotton Sandstorm) targeted dozens of mobile devices belonging to Israeli citizens using various Android apps repackaged with spyware.

• 2020 April. 24 - 25

  Unknown Iranian threat actors suspected of attacking six water facilities in Israel.
  According to Western Officials, the hack aimed to raise Chlorin levels, a scenario that could've caused wide-scale water poisoning.

• 2021 May - July

  An Iranian APT group named SiameseKitten (Hexane/Lyceum, sometimes confused with OilRig) conducted a Spear-Phishing campaign against Israeli IT and communication companies.
  The attackers used fake job offers through LinkedIn, disguised as an HR department employee, and even established a fake Phishing website to impersonate the targeted organization.

• 2021 Sep

  The Iranian linked group MosesStaff carried out targeted attacks against Israeli companies using a legitimate encryption tool.
  The main motive was to cause damage by leaking sensitive information, and encrypting the victims network without demanding ransom.

• 2021 Sep - 2022 Jun

  The Iranian espionage group BallisticBobcat (APT35) hacked various Israeli companies in multiple industries like automotive, communication, healthcare, finance and many more.
  The attackers presumably exploited CVE-2021-26855 in Microsoft Exchange servers without specifically targeting victims.

• 2022 Feb

  Unknown Iranian hackers used spear-phishing attacks against high ranking Israeli officials. The attackers were able to gain credibility by infiltrating into email conversation threads after hacking one of the correspondents.

• 2023 Feb

  The Iranian group MuddyWater are suspected to be behind the DarkBit Ransomware/Wiper Attacks on the Israeli Technion University. The attackers promoted anti-Israeli rhetoric, protested tech layoffs and demanded 80 BTC (at that time around $1.7 million) as ransom.

• 2023 Sep. 21

  The Iranian APT group OilRig (aka APT34, sometimes mixed with SiameseKitten) operated cyber espionage campaigns exclusively against Israeli organizations.
  Presumably spread via Spear-Phishing and was mainly intended to steal sensitive information.

• 2023 Oct. 10

  An pro-Iranian low-sophistication hacktivist group named SiegedSec, claimed that it had conducted a series of DDoS attacks against Industrial Controllers for critical infrastructure.

• 2023 Oct. 19

  The Iranian OilRig cyber espionage group (aka APT34, Crambus) broke into computer networks in an unspecified country from the middle east (probably Israel, UAE or one of the other Gulf states) and collected data for 8 months.
  The attackers collected sensitive information like passwords, files and even inspected USB packets.

• 2023 Oct. 28

  The Iranian threat group Moses Staff Claimed in their Telegram channel that they have infiltrated and caused damage to Contel (an Israeli industrial automation company).
  Apart from that they have also claimed to have hacked 20 other companies and leaked IDF reservists information.

• 2023 Oct. 30

  A destructive malware named BiBi Wiper was found attacking Linux computers (and Windows) in an unspecified Israeli company.
  The attack was done by a hacktivist group named Krama (linked to Moses Staff), politically motivated due to it's destructive nature, and multiple mentions of BiBi (The nickname of the Israeli PM Benjamin Netanyahu).

General Summary

Iran has two known top-level agencies responsible for most of the cyber operations.

• IRGC (Islamic Revolutionary Guard Corps).

  • Reports directly to the Iranian supreme leader (Ali Khamenei)

• MOIS (Ministry of Intelligence and Security (VEVAK in Farsi)

  • Reports to the president.

Both coordinate through the Supreme Council of Cyberspace.

The IRGC also contracts private companies like Emennet Pasargad (Cotton Sandstorm), Afkar Systems, Najee Technologies (Nemesis Kitten/APT35 Cluster), and more.
Some of the prominent targets are Israel, the United States, Gulf states like the United Arab Emirates, Bahrain, Saudi Arabia, and Iranian political adversaries.

Iranian cyber operations vary from Ransomware, Defacement, Sabotage (DOS/Wipers), espionage, theft and gaining illicit profit, to manipulation and influence campaigns, aka Cyber-Enabled Influence Operations (IOs).

The influence campaigns include themes like Palestinian resistance, Shi'ite unrest in the Gulf, counter-Arab-Israeli normalization and economic relations, cause panic/fear among Israelis, political manipulations in the US, and exposing corrupt or embarrassing activities of Iranian adversaries.

Known Iranian APT Groups

IRGC (Islamic Revolutionary Guard Corps)

• Cotton Sandstorm (aka Neptunium, Emennet Pasargad, ViceLeaker)
  Sabotage and Influence Ops
• Fox Kitten(aka Pioneer Kitten)
  Espionage and Profit
• APT 33 (aka Holmium)
  Espionage and Sabotage
• APT 42
  Espionage
• APT 35 (Cluster)
  Influence Ops, Espionage and Profit
  • Subgroups
    • Charming Kitten (aka Phosphorus)
    • Mint Sandstorm
    • ITG18
    • TA453
    • Magic Hound
    • Ballistic Bobcat
  • Nemesis Kitten (Cobalt Mirage/Illusion)
    Espionage and Profit
• Imperial Kitten (aka TortoiseShell)
  Espionage
• Cobalt Sapling
  Sabotage and Espionage
  • MosesStaff (aka Marigold Sandstorm)
    • Their site is active (moses-staff[.]se), hosted in Sweden, looks cryptic and politically motivated against "Moses' legitimacy" (i.e. Israel).
    • Linked to Abrahams Ax

MOIS (Ministry of Intelligence and Security)

Aka VEVAK (in Farsi) previously SAVAK

• MuddyWater (aka Static Kitten, Mango Sandstorm, Mercury, and more)
  Espionage and Sabotage
  • Also behind the the Cyber Persona/Ransomware named DarkBit
• OilRig (aka APT34, Lyceum, Crambus, HelixKitten, ...)
  Influence Ops, Sabotage and Espionage
• SiameseKitten (aka Hexane/Lyceum)
  • Operation activity swapped with OilRig after the "Dookhtegan" leaks.
• Agrius
  • Used the Cyber Persona BlackShadow

Unknown Governmental Agency

• Domestic Kitten (APT-C-50)

Hacktivists

• SiegedSec
• Abraham's Ax

Known Tools and Malware

• FurBall (Android, Domestic Kitten)

  c168f3ea7d0e2cee91612bf86c5d95167d26e69c
  424e86bb95dd9c18a0c576ff09bfb78433968ecd
  222bb71aecb45d4430cefa1bfa0a53c3fa4a67f0
  530e602b959009f80b5161aeb0eaec7c75dfd826
  

• TelegramGrabber (Win64 EXE, Yellow Garuda)

  1310245dd050596a03f63b604417172cabeb8fb1
  

• [PineFlower] (Android)
• [SyncroRAT] (MuddyWater)
• DarkBit Ransomware (Win32 EXE, MuddyWater)

  30466ccd4ec7bcafb370510855da2cd631f74b7a
  

• PoisonFrog and Glimpse (BondUpdater Trojan)
• Sponsor Backdoor (Win32 EXE, Ballistic Bobcat)

  098b9a6ce722311553e1d8ac5849ba1dc5834c52 - v1
  5aee3c957056a8640041abc108d0b8a3d7a02ebd - v2
  764eb6ca3752576c182fc19cff3e86c38dd51475 - v3
  2f3eda9d788a35f4c467b63860e73c3b010529cc - v4
  

• Plink Backdoor
• Merlin Agent
• PowerExchange Backdoor
• Tokel Backdoor
• Dirp Trojan
• Clipog Infostealer
• Solar and Mango Backdoors (OilRig)
• ALMA, Shark, DanBot, and Milan (OilRig)
• Helminth Trojan
• ViceLeaker (Apk, Aka Triout Spyware, Neptunium)

  Samples:
    2449dca16df3ccbbdbcbbb4e1a20eb6453613b15
    771d9ea97e74b622d0d110fda1fdd29bb0a0cb5e
    e734c38cb27fe6b856df026cab51a9dc18fa58ca
  
  IOC:
    reqsmscal.php // C&C php script name
  
  

• Moneybird (Agrius)
• Apostle Wiper (Agrius)
• DEADWOOD Wiper
• Apostle Ransomware (aka Detbosit, Agrius)

Sources:

• https://blogs.microsoft.com/on-the-issues/2023/05/02/dtac-iran-cyber-influence-operations-digital-threat/
• https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW13xRJ
• https://blog.sekoia.io/iran-cyber-threat-overview/
• https://iranprimer.usip.org/blog/2023/may/03/report-iran-accelerates-cyberattacks
• https://www.darkreading.com/ics-ot/israeli-irrigation-water-controllers-postal-service-breached
• https://www.ynet.co.il/digital/technews/article/s1js11exg2
• https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/
• https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/
• https://www.timesofisrael.com/iran-cyberattack-on-israels-water-supply-could-have-sickened-hundreds-report/
• https://www.gov.il/en/departments/news/_muddywater
• https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a
• https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations
• https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government
• https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/
• https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/
• https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf
• https://thehackernews.com/2021/08/iranian-hackers-target-several-israeli.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29
• https://www.mandiant.com/resources/blog/targeted-attack-in-middle-east-by-apt34
• https://github.com/microsoft/mstic/blob/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json
• https://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/
• https://www.ic3.gov/Media/News/2022/220126.pdf
• https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/05/Iran-turning-to-cyber-enabled-influence-operations-for-greater-effect-05022023.pdf
• https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/
• https://www.sentinelone.com/labs/from-wiper-to-ransomware-the-evolution-of-agrius/
• https://www.bitdefender.com/blog/labs/triout-android-spyware-framework-makes-a-comeback-abusing-app-with-50-million-downloads/
• https://www.bitdefender.com/blog/labs/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/
• https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/
• https://cyware.com/news/cobalt-sapling-uses-multiple-personas-for-pro-iranian-missions-e0da05b4
• https://malpedia.caad.fkie.fraunhofer.de/actor/mosesstaff
• https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises
• https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/abrahams-ax
• https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff

...