Cybersecurity groups: Iranians targeted top Israeli firms in ransomware attack

ClearSky, Profero say they thwarted hacking attempts by IRGC contractors, but warn that methods could’ve been used in previously unnoticed hacks targeting Jewish state

Illustrative: A cybersecurity expert stands in front of a map of Iran as he speaks to journalists about the techniques of Iranian hacking, September 20, 2017, in Dubai, United Arab Emirates. (AP/Kamran Jebreili)
Illustrative: A cybersecurity expert stands in front of a map of Iran as he speaks to journalists about the techniques of Iranian hacking, September 20, 2017, in Dubai, United Arab Emirates. (AP/Kamran Jebreili)

Iranian hackers contracted by the country’s Islamic Revolutionary Guard Corps targeted prominent Israeli companies in a series of ransomware attacks last month, a pair of cybersecurity firms reported Thursday.

The attacks were attributed to “MuddyWater,” which Microsoft exposed earlier this month as a contractor for the IRGC — designated by both Israel and the US as a terror group.

Dubbing the Iranian effort “Operation Quicksand,” the Clearsky and Profero cybersecurity firms said they “uncovered the first known instance of a potentially destructive attack executed by MuddyWater, focusing on prominent organizations in Israel and in other countries around the world.”

The firms said they identified and thwarted the attacks before any harm could be inflicted, but were now raising an alarm to the methods used, indicating that they could have been employed in earlier hacking attacks that might have gone unnoticed.

The names of the Israeli firms targeted in the ransomware attacks were not identified in the report, ostensibly for security reasons.

A computer programmer hacking a secure system. (releon8211 via iStock)

Two primary methods for the hack were identified by the cybersecurity firms.

In the first, MuddyWater would send phishing emails with malicious Excel or PDFs attached to them. When opened, the documents would download a variant of the Thanos software onto the targeted firm’s computer.

In the second method, MuddyWater would download the Thanos ransomware after identifying a vulnerability in the Microsoft Exchange serve known as CVE-2020-0688.

The attacks were identified by a repetitive code containing the word “Covic,” which their report said “may indicate a COVID-19 inspiration and suggests the possible dates in which MuddyWater might have developed the malware.”

ClearSky researcher Ohad Zaidenberg told the business technology site ZDNet that he thinks MuddyWater’s attempted attacks might also be related to escalating tensions between Israel and Iran, which have included recent tit-for-tat cyberattacks.

Last May, numerous Israeli websites were targeted in a cyberattack, with hundreds of websites estimated hit, including some belonging to major firms, political groups, and other organizations and individuals.

Iranian officials on Friday said the country’s Port Authority had been hit in a cyberattack this week, a day after vaguely confirming that two governmental departments had been attacked.

The attack targeted the electronic infrastructure of the country’s ports to disrupt the flow of goods in and out of the country, but failed to affect the process, officials said.

The authority said the attack had been perpetrated by “sworn enemies” who “failed to achieve their goals” of hitting Iran’s economy through sanctions — an apparent reference to the United States.

It said “appropriate measures” had been taken in response, without elaborating.

It was not clear what other government agency had been hit.

Iran occasionally says it has thwarted cyberattacks on its infrastructure, although it has disconnected much of its infrastructure from the internet after the Stuxnet computer virus, widely believed to be a joint US-Israeli creation, disrupted thousands of Iranian centrifuges in the country’s nuclear sites in the late 2000s.

A major cyberattack in May at Iran’s Bandar Abbas port was blamed on Israel, which has long accused Iran of using the port for military purposes to aid terrorists elsewhere in the Middle East, including Hamas and Hezbollah, with the IDF intercepting some of the shipments.

The May attack attributed to Israel was apparently in response to an alleged Iranian attempt to hack into Israel’s water infrastructure system. According to a New York Times report in May, the port was specifically chosen as a non-central target with the goal of sending a message more than to inflict actual damage.

Israel’s security firms and agencies have reportedly been preparing for a potential Iranian or Iran-linked cyberattack in response to the attack on the port.

There was a series of mysterious blasts at Iranian strategic sites over the summer which were largely attributed to either Washington or Jerusalem, or both.

Last year, Washington officials said that US military cyber forces had launched a strike against Iranian military computer systems, as US President Donald Trump backed away from plans for a more conventional military strike in response to Iran’s downing of an American surveillance drone in the strategic Persian Gulf.

This photo released July 2, 2020, by the Atomic Energy Organization of Iran, shows a building after it was damaged by a fire, at the Natanz uranium enrichment facility some 200 miles (322 kilometers) south of the capital Tehran, Iran. (Atomic Energy Organization of Iran via AP)

The most significant appeared to be a July explosion at the Natanz nuclear site, which was most likely caused by a bomb planted at the facility, potentially at a strategic gas line, but a New York Times report did not rule out the possibility that a cyberattack was used to cause a malfunction that led to the explosion.

In December, Iran said it had halted a massive cyberattack on unspecified “electronic infrastructure” but provided no specifics on the purported attack.

Tensions have escalated between the US and Iran since Trump in 2018 withdrew America from Iran’s nuclear deal with world powers and began a policy of “maximum pressure” on Tehran.

Tensions rose further after a US airstrike killed a top Iranian general at Baghdad’s airport in January. Iran retaliated with a ballistic missile strike on Iraqi bases housing American troops, wounding dozens of US troops.

read more: