{"id":3677,"date":"2024-05-21T15:47:21","date_gmt":"2024-05-21T20:47:21","guid":{"rendered":"https:\/\/www.darkreading.com\/threat-intelligence\/iran-apts-tag-team-espionage-wiper-attacks-against-israel-and-albania"},"modified":"2024-05-21T15:47:21","modified_gmt":"2024-05-21T20:47:21","slug":"iran-apts-tag-team-espionage-wiper-attacks-against-israel-amp-albania","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/05\/21\/iran-apts-tag-team-espionage-wiper-attacks-against-israel-amp-albania\/","title":{"rendered":"Iran APTs Tag Team Espionage, Wiper Attacks Against Israel & Albania"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

Iranian state-backed threat actors have been working closely to spy on, and then wreak havoc against, major organizations in Albania and Israel.<\/span><\/p>\n

Iran’s Ministry of Intelligence and Security (MOIS)-linked Scarred Manticore (aka Storm-861), <\/span>Iran’s most sophisticated espionage actor<\/a><\/span>, has been spying on high-value organizations across the Middle East and beyond for some time now. The group is so effective at what it does, in fact, that an entirely different MOIS advanced persistent threat (APT) \u2014 Void Manticore (aka Storm-842) \u2014 is piggybacking off of its initial access to launch destructive campaigns of its own.<\/span><\/p>\n

To date, Void Manticore claims to have successfully targeted more than 40 Israeli organizations, with a number of <\/span>high-profile campaigns in Albania<\/a><\/span> as well.<\/span><\/p>\n

Void Manticore, Scarred Manticore<\/h2>\n

As described in <\/span>a blog post from Check Point Research<\/a><\/span>, the arrangement between manticores is simple, and leverages each group’s strengths.<\/span><\/p>\n

First, Scarred Manticore does the spying. Its clever, fileless Liontail malware framework allows it to quietly perform email data exfiltration, often for well over a year’s time.<\/span><\/p>\n

Then, says Sergey Shykevich, threat intelligence group manager at Check Point, “When there is some escalation, like with Mojahedin-e-Khalq (MEK) in Albania or with the war in Israel, there’s some decisionmaker in the government that decides, ‘Let’s go burn our cyber access for espionage and instead do influence and destructive operations.’ And then they pass it to the other actor, focused on the same organization.”<\/span><\/p>\n

Where Scarred Manticore is incisive and subtle, Void Manticore is loud and messy.<\/span><\/p>\n

Part of the operation is about hack-and-leaks, where Void Manticore operates under the <\/span>faketivist personas<\/a><\/span> Homeland Justice, for campaigns pertaining to Albania, and Karma, for Israel.<\/span><\/p>\n

The group’s other job is sheer demolition. Using largely basic and publicly available tooling \u2014 like remote desktop protocol (RDP) for lateral movement, and the reGeorg Web shell \u2014 it aims for an organization’s files and then starts swinging. Sometimes, this involves manually deleting files and shared drives.<\/span><\/p>\n

The group also has an arsenal of custom wipers, which can generally be thought of in two categories. Some are designed to corrupt specific files or file types, a more targeted approach.<\/span><\/p>\n

Other Void Manticore wipers target the partition table \u2014 the part of the host system responsible for mapping out where files are located on the disk. By ruining the partition table, the data on the disk remains untouched yet inaccessible.<\/span><\/p>\n

Fighting Two Against One<\/h2>\n

Organizations on the receiving end of Iranian state-level attacks might find it extra challenging to defend against two different threat actors, each with their own tools, infrastructure, tactics, techniques, and procedures (TTPs). “It’s a new phenomenon,” Shykevich admits, “so I don’t think anyone has really thought deeply about this yet.”<\/span><\/p>\n

The easier path may be to focus on the initial threat, despite its greater sophistication, because espionage campaigns typically take far longer than destructive ones. “Once someone encounters the destructive actor, they must operate immediately. We’ve seen when the destructive actor receives access to the network, it operates almost immediately. So the timeframe, from the handoff between these two actors before the destruction starts, is very small,” he says.<\/span><\/p>\n

There are also simple defenses any organization can prepare to keep out either group. Void Manticore’s simplistic TTPs, for one, can generally be blocked with competent endpoint security.<\/span><\/p>\n

Even Scarred Manticore’s stealthy espionage can be cut off early, at the source. In most cases, it begins its attacks by <\/span>exploiting CVE-2019-0604<\/a><\/span>, a critical but half-decade-old Microsoft Sharepoint vulnerability. “So it’s preventable,” Shykevich says. “It’s not like it’s a zero-day, or some other thing where there’s zero means to prevent it.”<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Iranian state-backed threat actors have been working closely to spy<\/p>\n","protected":false},"author":12,"featured_media":3678,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-3677","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iran-apts-tag-team-espionage-wiper-attacks-against-israel-amp-albania.jpg?fit=1200%2C800&ssl=1",1200,800,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iran-apts-tag-team-espionage-wiper-attacks-against-israel-amp-albania.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iran-apts-tag-team-espionage-wiper-attacks-against-israel-amp-albania.jpg?fit=300%2C200&ssl=1",300,200,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iran-apts-tag-team-espionage-wiper-attacks-against-israel-amp-albania.jpg?fit=640%2C427&ssl=1",640,427,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iran-apts-tag-team-espionage-wiper-attacks-against-israel-amp-albania.jpg?fit=640%2C427&ssl=1",640,427,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iran-apts-tag-team-espionage-wiper-attacks-against-israel-amp-albania.jpg?fit=1200%2C800&ssl=1",1200,800,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iran-apts-tag-team-espionage-wiper-attacks-against-israel-amp-albania.jpg?fit=1200%2C800&ssl=1",1200,800,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iran-apts-tag-team-espionage-wiper-attacks-against-israel-amp-albania.jpg?fit=1024%2C683&ssl=1",1024,683,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iran-apts-tag-team-espionage-wiper-attacks-against-israel-amp-albania.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iran-apts-tag-team-espionage-wiper-attacks-against-israel-amp-albania.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iran-apts-tag-team-espionage-wiper-attacks-against-israel-amp-albania.jpg?fit=1200%2C800&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3677","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3677"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3677\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/3678"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3677"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3677"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3677"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}