Israeli Higher Education and Tech Sectors Targeted in Sophisticated Cyber Attacks
Israeli higher education and technology institutions have faced a wave of cyber attacks that began in January 2023, with attackers aiming to deploy previously unknown wiper malware. These targeted breaches included attempted data theft and the installation of malware designed to disrupt operations. As recently as October, these intrusions were linked to a group of state-sponsored hackers from Iran, identified by the cybersecurity firm Palo Alto Networks as "Agonizing Serpens," also known by other aliases such as Agrius, BlackShadow, and Pink Sandstorm.
The cyber threat landscape in Israel has been particularly troubled, with attackers employing tactics focused on stealing sensitive information, including personally identifiable information (PII) and intellectual property. In a report shared with The Hacker News, Unit 42 from Palo Alto Networks documented these malicious activities, underscoring the severity of the threat posed by this Iranian hacking group. Evidence suggests that these attacks might involve exploiting vulnerabilities in internet-facing web servers to initiate access, deploy web shells, and conduct reconnaissance on victim networks.
Once attackers gain entry, they often engage in lateral movement to exfiltrate data, utilizing a mixture of publicly available tools and customized software, including a tool for database extraction named Sqlextractor. Palo Alto Networks has outlined a series of distinct wipers employed by Agonizing Serpens, including MultiLayer, PartialWasher, and BFG Agonizer, which collectively contribute to covering the attackers’ tracks and rendering affected endpoints unusable. The implementation of these wipers typically follows a pattern of initial access, data exfiltration, and finally, system destruction.
Agonizing Serpens has maintained an active presence in the cyber landscape since at least December 2020, frequently targeting Israeli entities. Their prior use of ransomware, such as a strain called Moneybird, demonstrated the group’s evolving tactics. The recent attacks appear to employ sophisticated methods of infiltration and concealment, highlighting the hackers’ intent to enhance their operational capabilities.
Investigations indicate that these cyber campaigns rely on various MITRE ATT&CK tactics and techniques. Initial access could involve exploitation of internet-facing applications to gain a foothold in victim organizations. After establishing access, privilege escalation may occur to acquire administrative credentials, enabling lateral movement within the network. Once inside, the attackers can execute data exfiltration and implement their destructive malware.
The sophistication of these attacks raises significant concerns regarding the security posture of targeted entities. Unit 42 researchers have noted an apparent uptick in the group’s efforts to bypass endpoint detection and response (EDR) solutions by integrating a variety of known proof-of-concept tools, therefore complicating detection and mitigation strategies.
Business owners and cybersecurity professionals should remain vigilant and proactive in addressing potential vulnerabilities within their organizations. The ongoing threat posed by groups like Agonizing Serpens illustrates the necessity of robust cybersecurity frameworks and the importance of integrating threat intelligence to defend against evolving tactics used by state-sponsored adversaries.
