Iran-linked cyberthreat actor “Agrius” attacks Israeli targets through supply chain
Researchers from ESET discovered Fantasy, a new wipe which breached an Israeli software suite used in the diamond industry
Mandi Kogosowski
| 08/12/2022
Illustration. BIGSTOCK/Copyright: Mehanig
ESET researchers recently discovered a new wiper and its execution tool, both attributed to the Iran-linked Agrius APT group, while analyzing a supply-chain attack abusing an Israeli software developer.
According to the research published in the company’s blog, Agrius began targeting Israeli HR and IT consulting firms, as well as users of an Israeli software suite used in the diamond industry, in February 2022.
“We believe that Agrius operators conducted a supply-chain attack abusing the Israeli software developer to deploy their new wiper, Fantasy, and a new lateral movement and Fantasy execution tool, Sandals,” says the report.
Agrius is relatively new to the scene, first observed operating in Israel in 2020. According to previous research conducted by Sentinel Labs, the group initially engaged in espionage activity and, masquerading its activity as ransomware attacks, deployed a series of destructive wiper attacks against Israeli targets, using a novel wiper dubbed “Apostle”.
The Fantasy wiper is built on the foundations of the Apostle but does not attempt to masquerade as ransomware, says ESET. Instead, it goes right to work wiping data.
“On February 20th, 2022 at an organization in the diamond industry in South Africa, Agrius deployed credential harvesting tools, probably in preparation for this campaign,” says the report.
“Then, on March 12th, 2022, Agrius launched the wiping attack by deploying Fantasy and Sandals, first to the victim in South Africa and then to victims in Israel and lastly to a victim in Hong Kong.
“Victims in Israel include an IT support services company, a diamond wholesaler, and an HR consulting firm. South African victims are from a single organization in the diamond industry, with the Hong Kong victim being a jeweler.”
The campaign was short-lived, lasting under three hours. Still, it serves as a reminder of the ever-evolving threat and ubiquity of the Iran-Israel cyber war.
Researchers from ESET discovered Fantasy, a new wipe which breached an Israeli software suite used in the diamond industry
Illustration. BIGSTOCK/Copyright: Mehanig
ESET researchers recently discovered a new wiper and its execution tool, both attributed to the Iran-linked Agrius APT group, while analyzing a supply-chain attack abusing an Israeli software developer.
According to the research published in the company’s blog, Agrius began targeting Israeli HR and IT consulting firms, as well as users of an Israeli software suite used in the diamond industry, in February 2022.
“We believe that Agrius operators conducted a supply-chain attack abusing the Israeli software developer to deploy their new wiper, Fantasy, and a new lateral movement and Fantasy execution tool, Sandals,” says the report.
Agrius is relatively new to the scene, first observed operating in Israel in 2020. According to previous research conducted by Sentinel Labs, the group initially engaged in espionage activity and, masquerading its activity as ransomware attacks, deployed a series of destructive wiper attacks against Israeli targets, using a novel wiper dubbed “Apostle”.
The Fantasy wiper is built on the foundations of the Apostle but does not attempt to masquerade as ransomware, says ESET. Instead, it goes right to work wiping data.
“On February 20th, 2022 at an organization in the diamond industry in South Africa, Agrius deployed credential harvesting tools, probably in preparation for this campaign,” says the report.
“Then, on March 12th, 2022, Agrius launched the wiping attack by deploying Fantasy and Sandals, first to the victim in South Africa and then to victims in Israel and lastly to a victim in Hong Kong.
“Victims in Israel include an IT support services company, a diamond wholesaler, and an HR consulting firm. South African victims are from a single organization in the diamond industry, with the Hong Kong victim being a jeweler.”
The campaign was short-lived, lasting under three hours. Still, it serves as a reminder of the ever-evolving threat and ubiquity of the Iran-Israel cyber war.
