Unit 42 Exposes 10-Month Iranian-Linked Cyberattack Saga Against Israel
Palo Alto Network’s research arm uncovers the latest campaign by Agonizing Serpents, which has gained notoriety in Israel following two previous high-profile attacks
Mandi Kogosowski
|
07/11/2023
A series of destructive Iran-linked cyberattacks targeting Israel’s education and technology sectors was discovered by Palo Alto Networks’ Unit 42 research group.
According to the group’s report, the attacks were tracked as far back as January 2023, and they continued as recently as October 2023 – after Hamas launched its surprise attack against Israel on October 7th.
The attacks are characterized by attempts to steal sensitive data, such as personally identifiable information and intellectual property. Once the attackers stole the information, they deployed various wipers to cover the attackers’ tracks and render the infected endpoints unusable.
Unit 42 identified the attackers as having a strong connection to the Iranian-backed APT group Agonizing Serpents (aka Agrius, BlackShadow, Pink Sandstorm, and DEV-0022).
Active since at least 2020, this threat group already gained notoriety in Israel (under the name BlackShadow) after it was linked to two high-profile, major cyberattacks: against the Shirbit insurance company in December 2020, and against the internet hosting company SyberServe in October 2021.
After examining the forensic evidence, the Unit 42 researchers believe that the threat group has recently upgraded its capabilities and also employs new wipers and tools. While the group is known for ransomware attacks, the researchers believe that in most cases, the real purpose is not the financial gain but rather the vast loss of data and disruption of business continuity.
Palo Alto Network’s research arm uncovers the latest campaign by Agonizing Serpents, which has gained notoriety in Israel following two previous high-profile attacks
A series of destructive Iran-linked cyberattacks targeting Israel’s education and technology sectors was discovered by Palo Alto Networks’ Unit 42 research group.
According to the group’s report, the attacks were tracked as far back as January 2023, and they continued as recently as October 2023 – after Hamas launched its surprise attack against Israel on October 7th.
The attacks are characterized by attempts to steal sensitive data, such as personally identifiable information and intellectual property. Once the attackers stole the information, they deployed various wipers to cover the attackers’ tracks and render the infected endpoints unusable.
Unit 42 identified the attackers as having a strong connection to the Iranian-backed APT group Agonizing Serpents (aka Agrius, BlackShadow, Pink Sandstorm, and DEV-0022).
Active since at least 2020, this threat group already gained notoriety in Israel (under the name BlackShadow) after it was linked to two high-profile, major cyberattacks: against the Shirbit insurance company in December 2020, and against the internet hosting company SyberServe in October 2021.
After examining the forensic evidence, the Unit 42 researchers believe that the threat group has recently upgraded its capabilities and also employs new wipers and tools. While the group is known for ransomware attacks, the researchers believe that in most cases, the real purpose is not the financial gain but rather the vast loss of data and disruption of business continuity.
