Report: Iranian hacking group launched concentrated attack on Israeli companies

Cyber companies ClearSky Cyber Security Ltd. and Profero Cyber Security reported Thursday some disturbing findings, detailing Iranian cyberattacks on Israeli companies. According to the report’s findings, the attack used malware aimed at encrypting computers and blocking users from accessing them, similarly to a ransomware only without demanding money. The Iranian hackers would have been capable of blocking Israeli companies from accessing their data, a troubling scenario especially during the work from home era, and the increased use of digital means to carry out commercial and economic transactions.

The Iranian hacker group, dubbed MuddyWater, used a relatively new tactic in order to penetrate the Israeli companies’ security systems. Hacking has been yet another front in the ongoing digital war between Israel and the West against the Iranian Revolutionary Guards over the past several years.

“In early September, we located attempts at an attack by the group “MuddyWater” against Israeli companies,” explained Profero’s CEO Omri Segev Moyal. “ClearSky was able to pinpoint an overlap between this attempt to an identical campaign uncovered recently by Paulo Alto Networks.”

“Apparently, the hackers aimed to launch fake ransomware attacks, aimed at encrypting Israeli companies’ data and preventing it from being restored. The attacks were launched by using vulnerabilities in the operating systems or through phishing attacks that most likely used infected Adobe PDF or Microsoft Excel files,” said Moyal.

“Usually this group uses social engineering campaigns to steal information and spy on other organizations,” added ClearSky CEO Boaz Dolev. “For the first time, we exposed a different means of a cyberattack that is solely aimed at causing harm and ruin.”

The hackers used a Shamoon-based malware that has been employed as a cyber weapon by Iranians for years. The most infamous attack was in 2012, when it wiped tens of thousands of computers’ data from the Saudi National Oil Company. Over the years, the Iranians have refined and improved the malware, and added several new versions.

Viruses such as Shamoon are characterized as “Wiper” malware, and are designed to erase data that is stored on a computer or computerized infrastructure. However, this attack attempted to disguise the virus as ransomware. Such attacks have become a hit over the past year, although they are easily spotted by software security systems. Concealing the virus allows it to mask the extent of its attack and its origins.

It remains unclear to what extent the attacked companies have been harmed; the report did not include names. However, during an interview with Calcalist, it was mentioned that “many companies were attacked.” While the current trial failed due to help from the National Cyber Directorate, Profero and CyberSky, there is no telling whether future attempts will be more sophisticated. It has been recommended that companies who want to prevent such damage should make use of the EDR system, update servers and access stations, increase employee awareness at attempts at phishing and social engineering, and frequently change passwords.