The cyber companies Clearsky and Profero have published a report with disturbing revelations about what is described as an "Iranian cyber attack on companies in the Israeli economy." The main points of the report are that the attack uses damage intended to encrypt the victims' computers - just like ransomware - but this time without any financial demand. Iranian hackers are content to block companies from using their data, a particularly troubling situation in days of remote work and increased use of digital to operate commercial and economic activity in the economy.
To infiltrate the defenses of Israeli companies (if any), the Iranian hacker group MuddyWater uses a relatively new tactic in the cyber war that has been raging for several years between Israel and the West and the cyber units of Iran and the Revolutionary Guards.
"At the beginning of September, we located attempts to attack Israeli companies by the Iranian attacking group MuddyWatter," explains Omri Segev Moyal, CEO of Profero.
"Apparently, the goal was to launch fake ransomware attacks, aimed at encrypting the data of companies in the economy, without allowing the ability to later recover the information. The attacks were launched through known operating system vulnerabilities or by phishing that included infected PDF or Excel documents," he said. According to Moyal.
"Usually this group is engaged in social engineering campaigns, through which it steals information and spies on organizations," adds Boaz Dolev, CEO of Clearsky. "However, at this exposure we first encountered a different attack outline that was likely intended to cause only harm and destruction."
The hackers used a shamoon-based malware that has been used as a cyber weapon by the Iranians for several years. The most well-known attack in which it was used was carried out in 2012 when tens of thousands of computers of the Saudi National Oil Company were wiped out. Over the years the Iranians have included and improved the damage and even added a number of new versions to it.
Viruses like Trust are called Wiper and they are designed to erase all the data that is on the computer or computer infrastructure. The main innovation in the current attack is an attempt to hide the virus as ransomware. The latter have become a real hit in the last year however they are usually easily identified by most information security tools. Hiding the virus makes it possible to hide the scope of the attack and its source.
It is not clear to what extent the companies that were attacked or harmed and in the report refrained from naming names, but agreed to say that "these are quite a few organizations in the economy." The current attack has failed with the help of the cyber array with Profro and Clearsky but that does not mean there will be no more sophisticated attempts. The recommendation now is for companies that want to prevent vulnerabilities to monitor EDR systems, update servers and end stations, increase employee alertness to phishing and social engineering attempts, and perform regular password changes.