Iranian Hacker | Breaking Cybersecurity News | The Hacker News

An Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS) has been attributed as behind destructive wiping attacks targeting Albania and Israel under the personas Homeland Justice and Karma, respectively. Cybersecurity firm Check Point is tracking the activity under the moniker  Void Manticore , which is also referred to as  Storm-0842  (formerly DEV-0842) by Microsoft. "There are clear overlaps between the targets of Void Manticore and  Scarred Manticore , with indications of systematic hand off of targets between those two groups when deciding to conduct destructive activities against existing victims of Scarred Manticore," the company  said  in a report published today. The threat actor is known for its disruptive cyber attacks against Albania since July 2022 under the name Homeland Justice that involve the use of bespoke wiper malware called  Cl Wiper  and  No-Justice  (aka LowEraser). Si...

The Assembly of the Republic of Albania and telecom company One Albania have been targeted by cyber attacks, the country's National Authority for Electronic Certification and Cyber Security (AKCESK) revealed this week. "These infrastructures, under the legislation in force, are not currently classified as critical or important information infrastructure," AKCESK  said . One Albania, which has nearly 1.5 million subscribers, said in a  Facebook post  on December 25 that it had handled the security incident without any issues and that its services, including mobile, landline, and IPTV, remained unaffected. AKCESK further  noted  that the intrusions did not originate from Albanian IP addresses, adding it managed to "identify potential cases in real-time." The agency also said that it has been focusing its efforts on identifying the source of the attacks, recovering compromised systems, and implementing security measures to prevent such incidents from happening...

Iranian nation-state actors have been observed using a previously undocumented command-and-control (C2) framework called  MuddyC2Go  as part of  attacks targeting Israel . "The framework's web component is written in the Go programming language," Deep Instinct security researcher Simon Kenin  said  in a technical report published Wednesday. The tool has been attributed to  MuddyWater , an  Iranian   state-sponsored   hacking   crew  that's affiliated to the country's Ministry of Intelligence and Security (MOIS). The cybersecurity firm said the C2 framework may have been put to use by the threat actor since early 2020, with recent attacks leveraging it in place of PhonyC2 , another custom C2 platform from MuddyWater that came to light in June 2023 and has had its source code leaked. Typical attack sequences observed over the years have involved sending spear-phishing emails bearing malware-laced archives or bogus links that lea...

Israeli higher education and tech sectors have been targeted as part of a series of destructive cyber attacks that commenced in January 2023 with an aim to deploy previously undocumented wiper malware. The intrusions, which took place as recently as October, have been attributed to an Iranian nation-state hacking crew it tracks under the name Agonizing Serpens, which is also known as Agrius, BlackShadow and Pink Sandstorm (previously Americium). "The attacks are characterized by attempts to steal sensitive data, such as personally identifiable information (PII) and intellectual property," Palo Alto Networks Unit 42 said in a new report shared with The Hacker News. "Once the attackers stole the information, they deployed various wipers intended to cover the attackers' tracks and to render the infected endpoints unusable." This includes three different novel wipers such as MultiLayer, PartialWasher, and BFG Agonizer, as well as a bespoke tool to extract inf...

Iranian nation-state actors have been conducting password spray attacks against thousands of organizations globally between February and July 2023, new findings from Microsoft reveal. The tech giant, which is tracking the activity under the name  Peach Sandstorm  (formerly Holmium), said the adversary pursued organizations in the satellite, defense, and pharmaceutical sectors to likely facilitate intelligence collection in support of Iranian state interests. Should the authentication to an account be successful, the threat actor has been observed using a combination of publicly available and custom tools for discovery, persistence, and lateral movement, followed by data exfiltration in limited cases. Peach Sandstorm , also known by the names APT33, Elfin, and Refined Kitten, has been linked to spear-phishing attacks against aerospace and energy sectors in the past, some of which have entailed the use of the  SHAPESHIFT  wiper malware. It's said to be active since...

The Iranian threat actor known as MuddyWater is continuing its time-tested tradition of relying on legitimate remote administration tools to commandeer targeted systems. While the nation-state group has previously employed  ScreenConnect, RemoteUtilities, and Syncro , a  new analysis  from Group-IB has revealed the adversary's use of the SimpleHelp remote support software in June 2022. MuddyWater, active since at least 2017, is assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Some of the top targets include Turkey, Pakistan, the U.A.E., Iraq, Israel, Saudi Arabia, Jordan, the U.S., Azerbaijan, and Afghanistan. "MuddyWater uses SimpleHelp, a legitimate remote device control and management tool, to ensure persistence on victim devices," Nikita Rostovtsev, senior threat analyst at Group-IB, said. "SimpleHelp is not compromised and is used as intended. The threat actors found a way to download the tool from the of...

The Iranian nation-state hacking group known as  OilRig  has continued to target government organizations in the Middle East as part of a cyber espionage campaign that leverages a new backdoor to exfiltrate data. "The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers," Trend Micro researchers Mohamed Fahmy, Sherif Magdy, and Mahmoud Zohdy  said . While the technique in itself is not unheard of, the development marks the first time OilRig has adopted it in its playbook, indicating the continued evolution of its methods to bypass security protections. The advanced persistent threat (APT) group, also referred to as APT34, Cobalt Gypsy, Europium, and Helix Kitten, has been  documented  for its targeted phishing attacks in the Middle East since at least 2014. Linked to Iran's Ministry of Intelligence and Security (MOIS), the group is known to use a diverse toolset in its operation...

An Iranian geopolitical nexus threat actor has been uncovered deploying two new targeted malware that come with "simple" backdoor functionalities as part of an intrusion against an unnamed Middle East government entity in November 2021. Cybersecurity company Mandiant attributed the attack to an uncategorized cluster it's tracking under the moniker  UNC3313 , which it assesses with "moderate confidence" as associated with the MuddyWater state-sponsored group. "UNC3313 conducts surveillance and collects strategic information to support Iranian interests and decision-making," researchers Ryan Tomcik, Emiel Haeghebaert, and Tufail Ahmed  said . "Targeting patterns and related lures demonstrate a strong focus on targets with a geopolitical nexus." In mid-January 2022, U.S. intelligence agencies  characterized  MuddyWater (aka Static Kitten, Seedworm, TEMP.Zagros, or Mercury) as a subordinate element of the Iranian Ministry of Intelligence and...

Hackers with suspected ties to Iran are actively targeting academia, government agencies, and tourism entities in the Middle East and neighboring regions as part of an espionage campaign aimed at data theft. Dubbed "Earth Vetala" by Trend Micro, the latest finding expands on previous research  published by Anomali  last month, which found evidence of malicious activity aimed at UAE and Kuwait government agencies by exploiting ScreenConnect remote management tool.  The cybersecurity firm linked the ongoing attacks with moderate confidence to a threat actor widely tracked as  MuddyWater , an Iranian hacker group known for its offensives primarily against Middle Eastern nations. Earth Vetala is said to have leveraged spear-phishing emails containing embedded links to a popular file-sharing service called Onehub to distribute malware that ranged from password dumping utilities to custom backdoors, before initiating communications with a command-and-control (C2) serv...