Iran has been linked to yet another state-sponsored ransomware
operation through a contracting company based in the country,
according to new analysis.
“Iran’s Islamic Revolutionary Guard Corps (IRGC[1]) was operating a
state-sponsored ransomware campaign through an Iranian contracting
company called ‘Emen Net Pasargard’ (ENP),” cybersecurity firm
Flashpoint said[2]
in its findings summarizing three documents leaked by an anonymous
entity named Read My Lips or Lab Dookhtegan between March 19 and
April 1 via its Telegram channel.
Dubbed “Project Signal,” the initiative is said to have
kickstarted sometime between late July 2020 and early September
2020, with ENP’s internal research organization, named the “Studies
Center,” putting together a list of unspecified target
websites.
A second spreadsheet validated by Flashpoint explicitly spelled
out the project’s financial motivations, with plans to launch the
ransomware operations in late 2020 for a period of four days
between Oct. 18 and 21. Another document outlined the workflows,
including steps for receiving Bitcoin payments from ransomware
victims and decrypting the locked data.
It’s not immediately clear if these attacks went ahead as
planned and whom they targeted.
“ENP operates on behalf of Iran’s intelligence services
providing cyber capabilities and support to Iran’s Islamic
Revolutionary Guard Corps (IRGC), the IRGC Quds Force (IRGC-QF),
and Iran’s Ministry of Intelligence and Security (MOIS),” the
researchers said.
Despite the project’s ransomware themes, the researchers suspect
the move could likely be a “subterfuge technique” to mimic the
tactics, techniques, and procedures (TTPs) of other financially
motivated cybercriminal ransomware groups so as to make attribution
harder and better blend in with the threat landscape.
Interestingly, the rollout of Project Signal also dovetailed
with another Iranian ransomware campaign called “Pay2Key,” which
ensnared dozens of Israeli companies in Nov. and Dec. 2020. Tel
Aviv-based cybersecurity firm ClearSky attributed[3]
the wave of attacks to a group called Fox Kitten[4]. Given the lack of
evidence, it’s unknown what connection, if any, the two campaigns
may have with each other.
This is not the first time Lab Dookhtegan has dumped crucial
information pertaining to Iran’s malicious cyber activities. In a
style echoing the Shadow Brokers[5], Lab Dookhtegan
previously spilled[6]
the secrets of an Iranian hacker group known as APT34 or OilRig,
including publishing the adversary’s arsenal of hacking tools,
along with information on 66 victim organizations and doxxing the
real-world identities of members of Iranian government intelligence
agents.
News of Iran’s new ransomware operation also comes as a
coalition of government and tech firms in the private sector,
called the Ransomware Task Force, shared a 81-page report[7]
comprising a list of 48 recommendations to detect and disrupt
ransomware attacks, in addition to helping organizations prepare
and respond to such intrusions more effectively.
References
- ^
IRGC
(en.wikipedia.org) - ^
said
(www.flashpoint-intel.com) - ^
attributed
(www.clearskysec.com) - ^
Fox
Kitten (malpedia.caad.fkie.fraunhofer.de) - ^
Shadow
Brokers (malpedia.caad.fkie.fraunhofer.de) - ^
spilled
(www.wired.com) - ^
81-page
report (securityandtechnology.org)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/skbq_thGts0/researchers-uncover-iranian-state.html