A new malicious actor called "Agrius" that infiltrated the Israeli cyber sphere was observed using ransomware attacks to carry out espionage and destructive activity, according to a report published by Israeli cybersecurity company SentinelLabs. The research did not succeed in definitively attributing the new actor, but it pointed out a number of connections to Iran.
"An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets," wrote Amitai Ben Shushan Ehrlich, a researcher for the company. The operators behind the attacks intentionally masked their activity as ransomware attacks."
According to the report, one of the wipers, called Apostle, was turned into ransomware, replacing its previous functionalities. "The message inside it suggests it was used to target a critical, nation-owned facility in the United Arab Emirates. The similarity to its wiper version, as well as the nature of the target in the context of regional disputes, leads us to believe that the operators behind it are utilizing ransomware for its disruptive capabilities," wrote Ben Shushan Ehrlich.
The researchers did not find a clear connection to known malicious actors, but they assessed "with medium confidence" that the group behind "Agrius" is affiliated with Iran due to Iran's history of carrying out attacks using wipers, use of VPN services that Iranian hackers were observed using in the past, and more.
Ben Shoshan Ehrlich also refers to the cyberattacks last month by the n3tw0rm group, which attacked Israeli company Veritas Logistics and fashion company H&M Israel, and which according to some assessments is also connected to Iran. "The close proximity of the Agrius and n3tw0rm campaigns suggest they may be part of a larger, coordinated Iranian strategy."