An Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS) has been attributed as behind destructive wiping attacks targeting Albania and Israel under the personas Homeland Justice and Karma, respectively.
Cybersecurity firm Check Point is tracking the activity under the moniker Void Manticore, which is also referred to as Storm-0842 (formerly DEV-0842) by Microsoft.
"There are clear overlaps between the targets of Void Manticore and Scarred Manticore, with indications of systematic hand off of targets between those two groups when deciding to conduct destructive activities against existing victims of Scarred Manticore," the company said in a report published today.
The threat actor is known for its disruptive cyber attacks against Albania since July 2022 under the name Homeland Justice that involve the use of bespoke wiper malware called Cl Wiper and No-Justice (aka LowEraser).
Similar wiper malware attacks have also targeted Windows and Linux systems in Israel following the Israel-Hamas war after October 2023 using another customer wiper codenamed BiBi. The pro-Hamas hacktivist group goes by the name Karma.
Attack chains orchestrated by the group are "straightforward and simple," typically leveraging publicly available tools and making use of Remote Desktop Protocol (RDP), Server Message Block (SMB), and File Transfer Protocol (FTP) for lateral movement prior to malware deployment.
Initial access in some cases is accomplished by the exploitation of known security flaws in internet-facing applications (e.g., CVE-2019-0604), according to an advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September 2022.
A successful foothold is followed by the deployment of web shells, including a homebrewed one called Karma Shell that masquerades as an error page but is capable of enumerating directories, creating processes, uploading files, and starting/stopping/listing services.
Void Manticore is suspected of using access previously obtained by Scarred Manticore (aka Storm-0861) to carry out its own intrusions, underscoring a "handoff" procedure between the two threat actors.
This high degree of cooperation was previously also highlighted by Microsoft in its own investigation into attacks targeting Albanian governments in 2022, noting that multiple Iranian actors participated in it and that they were responsible for distinct phases -
- Storm-0861 gained initial access and exfiltrated data
- Storm-0842 deployed the ransomware and wiper malware
- Storm-0166 exfiltrated data
- Storm-0133 probed victim infrastructure
It's also worth pointing out that Storm-0861 is assessed to be a subordinate element within APT34 (aka Cobalt Gypsy, Hazel Sandstorm, Helix Kitten, and OilRig), an Iranian nation-state group known for the Shamoon and ZeroCleare wiper malware.
"The overlaps in techniques employed in attacks against Israel and Albania, including the coordination between the two different actors, suggest this process has become routine," Check Point said.
"Void Manticore's operations are characterized by their dual approach, combining psychological warfare with actual data destruction. This is achieved through their use of wiping attacks and by publicly leaking information, thereby amplifying the destruction on the targeted organizations."
