A new study from Israeli company SentinelOne is claiming that an Iranian hacker group, operating under the Iranian government, is behind numerous cyber attacks against a variety of Israeli targets in recent years.
Israeli companies were the targets of countless attacks attributed to Iranian hackers in recent years, but so far it had not been clear what the motivation was behind these actions. Some studies referred to the attacks as criminal assaults, while others saw them as strategic actions. So far, the assumption was that Iranian hacker groups operate mainly with criminal motives rather than strategic ones.
According to researcher Amitai Ben Shushan Ehrlich, this specific group, named Agrius, has been operating in Israel since the beginning of 2020. While SentinelOne is very careful when discussing the group, the company assesses with “medium confidence” that this group is of Iranian origin, “engaged in both espionage and disruptive activity.” Furthermore, according to information obtained by Calcalist from other sources in the industry, this group was behind the attacks on Shirbit and the KLS Capital.
While in its report, SentinelOne admits “it is hard to provide a definitive attribution for Agrius,” it does state that “a set of indications pointing the activity towards an Iranian nexus came up throughout the investigation.”
The report goes on to state that Agrius’ actions, as in past attacks by Iranian hackers, seem to be correlated with Iranian interests. It also states that some of Agrius’ tools in the attack were uploaded from Iran and other Middle East countries and that some of the attack’s infrastructure was hosted on servers “that have also resolved to Iranian domains in the past.”
The report also touched on the “usage of the DEADWOOD wiper,” an Iranian-made tool, writing “Agrius utilized the DEADWOOD wiper, which was previously attributed to an Iranian-nexus actor,” and while “the ties between Agrius and the threat actor who originally deployed DEADWOOD remain unclear, it’s possible that the two groups have access to shared resources.”
Read the complete article at: Calcalist Tech
cyber actions cyber actions