Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

Iran APTs Tag Team Espionage, Wiper Attacks Against Israel & Albania

Scarred Manticore is the smart, sophisticated one. But when Iran needs something destroyed, it hands the keys over to Void Manticore.

3 Min Read
Closeup of stone carving
Source: ASP Religion via Alamy Stock Photo

Iranian state-backed threat actors have been working closely to spy on, and then wreak havoc against, major organizations in Albania and Israel.

Iran's Ministry of Intelligence and Security (MOIS)-linked Scarred Manticore (aka Storm-861), Iran's most sophisticated espionage actor, has been spying on high-value organizations across the Middle East and beyond for some time now. The group is so effective at what it does, in fact, that an entirely different MOIS advanced persistent threat (APT) — Void Manticore (aka Storm-842) — is piggybacking off of its initial access to launch destructive campaigns of its own.

To date, Void Manticore claims to have successfully targeted more than 40 Israeli organizations, with a number of high-profile campaigns in Albania as well.

Void Manticore, Scarred Manticore

As described in a blog post from Check Point Research, the arrangement between manticores is simple, and leverages each group's strengths.

First, Scarred Manticore does the spying. Its clever, fileless Liontail malware framework allows it to quietly perform email data exfiltration, often for well over a year's time.

Then, says Sergey Shykevich, threat intelligence group manager at Check Point, "When there is some escalation, like with Mojahedin-e-Khalq (MEK) in Albania or with the war in Israel, there's some decisionmaker in the government that decides, 'Let's go burn our cyber access for espionage and instead do influence and destructive operations.' And then they pass it to the other actor, focused on the same organization."

Where Scarred Manticore is incisive and subtle, Void Manticore is loud and messy.

Part of the operation is about hack-and-leaks, where Void Manticore operates under the faketivist personas Homeland Justice, for campaigns pertaining to Albania, and Karma, for Israel.

The group's other job is sheer demolition. Using largely basic and publicly available tooling — like remote desktop protocol (RDP) for lateral movement, and the reGeorg Web shell — it aims for an organization's files and then starts swinging. Sometimes, this involves manually deleting files and shared drives.

The group also has an arsenal of custom wipers, which can generally be thought of in two categories. Some are designed to corrupt specific files or file types, a more targeted approach.

Other Void Manticore wipers target the partition table — the part of the host system responsible for mapping out where files are located on the disk. By ruining the partition table, the data on the disk remains untouched yet inaccessible.

Fighting Two Against One

Organizations on the receiving end of Iranian state-level attacks might find it extra challenging to defend against two different threat actors, each with their own tools, infrastructure, tactics, techniques, and procedures (TTPs). "It's a new phenomenon," Shykevich admits, "so I don't think anyone has really thought deeply about this yet."

The easier path may be to focus on the initial threat, despite its greater sophistication, because espionage campaigns typically take far longer than destructive ones. "Once someone encounters the destructive actor, they must operate immediately. We've seen when the destructive actor receives access to the network, it operates almost immediately. So the timeframe, from the handoff between these two actors before the destruction starts, is very small," he says.

There are also simple defenses any organization can prepare to keep out either group. Void Manticore's simplistic TTPs, for one, can generally be blocked with competent endpoint security.

Even Scarred Manticore's stealthy espionage can be cut off early, at the source. In most cases, it begins its attacks by exploiting CVE-2019-0604, a critical but half-decade-old Microsoft Sharepoint vulnerability. "So it's preventable," Shykevich says. "It's not like it's a zero-day, or some other thing where there's zero means to prevent it."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights