Undeleted Hard Disks and Targeting Kitchen Vents: Iran’s Botched Cyberattacks on Israel

New reports show how hackers linked to Iran or working in its name are attacking Israeli entities – with limited or no success. Meanwhile, North Koreans are plaguing Israeli cryptocurrency firms

Omer Benjakob
Omer Benjakob
Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
Agrius' wiper attacks, as revealed by SentinelOne in a new report.
Agrius' wiper attacks, as revealed by SentinelOne in a new report.Credit: AMITAI BEN SHUSHAN EHRLICH / SentinelLabs
Omer Benjakob
Omer Benjakob

Israel has faced a string of ideological cyberattacks attributed to Iran or its proxies over the past decade, but several new reports suggest that many of these are amateurish and often fail – in contrast to financially motivated attacks by North Korean hackers against Israeli cryptocurrency firms.

SentinelOne, an Israeli cybersecurity firm, revealed details of a new group called Agrius, which may well be Iranian and is definitely following patterns observed in the past in Iranian hackers. The campaign by the group began in 2020 and involved a type of nefarious software that not only takes control of its victim’s system but can also delete it.

Malware that deletes data on infected hard disks is known as a “wiper” and, according to SentinelOne, Agrius’ version “was previously involved in a wiping attack in the Middle East and tentatively attributed to Iran.”

The cybersecurity firm notes that while this is “not a strong link, it is worth noting when correlated with other technical links [that] Iranian threat actors have a long history of deploying wipers, dating back to 2012, when Iranian hackers deployed the notorious Shamoon malware” against Saudi Arabia’s Aramco. That attack was described at the time as the biggest hack in history.

“Since then,” SentinelOne said, “Iranian threat actors have been caught deploying wiper malware in correlation with the regime’s interests on several occasions.”

The nefarious software initially failed to work properly and only a later, second version created by the purportedly Iranian hackers succeeded in making good on its threat to delete the data.

This type of failure joins a wider trend of botched attacks by anti-Israel hackers and attributed to Iran.

Another new report this week, released by FireEye, highlights how many of the attacks on complex infrastructure systems are actually very simple in nature and riddled with issues and errors.

“We have seen hacktivist groups that frequently use anti-Israel/pro-Palestine rhetoric in social media posts share images indicating that they had compromised [operational technology] assets in Israel, including a solar energy asset and [the log] used for different applications such as mining exploration and dam surveillance,” FireEye reported.

The latter is likely a reference to a cyberattack on an Israeli water facility that took place in the summer of 2020. However, many times these acts of digital braggadocio actually revealed what the cybersecurity firm described as “gaffes.”

“Some of the actors we track made comments that indicated they had either a limited understanding of the assets they compromised or that they were simply attempting to gain notoriety,” FireEye said. It cited hackers who shared a screenshot of a supposedly compromised rail-control system that turned out to be the interface of a model train set.

Alluding to what appears to be an Iranian hacker group, FireEye noted that “another group made a similar gaffe when they claimed to retaliate for an explosion at a missile facility in Iran by compromising an Israeli ‘gas system.’ A video of their operation showed that they had actually compromised a kitchen ventilation system installed at a restaurant in Ramat Hasharon,” a north Tel Aviv suburb.

Hactivist claims that they compromised an Israeli "gas system" turned out to refer to the ventilation system at a restaurant in Ramat Hasharon. Credit: Keith Lunden, Daniel Kapellmann

Israel’s cryptocurrency market, however, has been plagued by various successful attacks in recent years that have caused financial damage to its victims. ClearSky, a prominent cybersecurity firm, revealed this week that the attacks were almost all the work of a group of North Korean hackers. The group, known as Lazarus, has hit hundreds of Israeli financial intuitions, but tends to target those dealing with digital currencies more than others.

ClearSky managed to link a number of different attacks – attributed to a number of different attackers – to the group, which has been given different names over the years, including Hidden Cobra.

The operation was dubbed CryptoCore. Using a comparison of the different techniques, tactics and procedures, ClearSky showed that the attacks were all the work of Lazarus. The FBI has said the group is operated by the North Korean state and is run by its intelligence service, the Reconnaissance General Bureau.

Click the alert icon to follow topics: