Iran has been linked to yet another state-sponsored ransomware operation through a contracting company based in the country, according to new analysis.
"Iran's
Islamic Revolutionary Guard Corps (IRGC) was operating a state-sponsored ransomware campaign
through an Iranian contracting company called 'Emen Net Pasargard' (ENP),"
cybersecurity firm Flashpoint said in its findings summarizing three documents leaked
by an anonymous entity named Read My Lips or Lab Dookhtegan between March 19
and April 1 via its Telegram channel.
Dubbed "Project Signal," the initiative is said to
have kickstarted sometime between late July 2020 and early September 2020, with
ENP's internal research organization, named the "Studies Center,"
putting together a list of unspecified target websites.
A second spreadsheet validated by Flashpoint explicitly spelled
out the project's financial motivations, with plans to launch the ransomware
operations in late 2020 for a period of four days between Oct. 18 and 21.
Another document outlined the workflows, including steps for receiving Bitcoin
payments from ransomware victims and decrypting the locked data.
It's not immediately clear if these attacks went ahead as
planned and whom they targeted.
"ENP operates on behalf of Iran's intelligence services
providing cyber capabilities and support to Iran's Islamic Revolutionary Guard
Corps (IRGC), the IRGC Quds Force (IRGC-QF), and Iran's Ministry of
Intelligence and Security (MOIS)," the researchers said.
Despite the project's ransomware themes, the researchers suspect
the move could likely be a "subterfuge technique" to mimic the
tactics, techniques, and procedures (TTPs) of other financially motivated
cybercriminal ransomware groups so as to make attribution harder and better
blend in with the threat landscape.
Interestingly,
the rollout of Project Signal also dovetailed with another Iranian ransomware
campaign called "Pay2Key," which ensnared dozens of Israeli companies
in Nov. and Dec. 2020. Tel Aviv-based cybersecurity firm ClearSky attributed the wave of attacks to a group called Fox Kitten. Given
the lack of evidence, it's unknown what connection, if any, the two campaigns
may have with each other.
This is not the first
time Lab Dookhtegan has dumped crucial information pertaining to Iran's
malicious cyber activities. In a style echoing the Shadow Brokers, Lab Dookhtegan previously spilled the secrets of an Iranian hacker group known as
APT34 or OilRig, including publishing the adversary's arsenal of hacking tools,
along with information on 66 victim organizations and doxxing the real-world
identities of members of Iranian government intelligence agents.
News of Iran's
new ransomware operation also comes as a coalition of government and tech firms
in the private sector, called the Ransomware Task Force, shared a 81-page report comprising a list of 48 recommendations to
detect and disrupt ransomware attacks, in addition to helping organizations
prepare and respond to such intrusions more effectively.
Comments
Post a Comment