Iranian MOIS-Linked Hackers Behind Destructive Attacks on Albania and Israel

21-05-2024
Share
Iranian MOIS-Linked Hackers Behind Destructive Attacks on Albania and Israel

An Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS) has been attributed as behind destructive wiping attacks targeting Albania and Israel under the personas Homeland Justice and Karma, respectively.

Cybersecurity firm Check Point is tracking the activity under the moniker Void Manticore, which is also known as Storm-0842 (formerly DEV-0842) by Microsoft.

The threat actor is known for its disruptive cyber attacks against Albania since July 2022 under the name Homeland Justice that involve the use of bespoke wiper malware called Cl Wiper and No-Justice (aka LowEraser).

Initial access in some cases is accomplished by the exploitation of known security flaws in internet-facing applications (e.g., CVE-2019-0604), according to an advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September 2022.

A successful foothold is followed by the deployment of web shells, including a homebrewed one called Karma Shell that masquerades as an error page but is capable of enumerating directories, creating processes, uploading files, and starting/stopping/listing services.

Void Manticore is suspected of using access previously obtained by Scarred Manticore (aka Storm-0861) to carry out its own intrusions, underscoring a “handoff” procedure between the two threat actors.

This high degree of cooperation was previously also highlighted by Microsoft in its own investigation into attacks targeting Albanian governments in 2022, noting that multiple Iranian actors participated in it and that they were responsible for distinct phases –

  • Storm-0861 gained initial access and exfiltrated data
  • Storm-0842 deployed the ransomware and wiper malware
  • Storm-0166 exfiltrated data
  • Storm-0133 probed victim infrastructure

It’s also worth pointing out that Storm-0861 is assessed to be a subordinate element within APT34 (aka Cobalt Gypsy, Hazel Sandstorm, Helix Kitten, and OilRig), an Iranian nation-state group known for the Shamoon and ZeroCleare wiper malware.

“The overlaps in techniques employed in attacks against Israel and Albania, including the coordination between the two different actors, suggest this process has become routine,” Check Point said.

 

Source: https://thehackernews.com/