Getty
The latest warning from the research team at Check Point, published today, is a timely reminder that the shifting sands of the cyber landscape will be a serious issue for president-elect Biden. On the surface, this latest report is on the increasing scourge of ransomware—a primarily commercial threat. But dig a little deeper and what becomes clear is that this shines a light on enhanced capabilities in Iran, which is quickly honing its malicious skillset.
A week ago, Check Point reported on ransomware attacks against “an exceptional number” of Israeli companies. While some of those attacks used known tools— the likes of REvil and Ryuk, Check Point warned that “several large corporations experienced a full-blown attack with a previously unknown ransomware variant names Pay2Key.”
According to the research team, the campaign built around this new Pay2Key ransomware “presented an ability to make a rapid move of spreading the ransomware within an hour to the entire network.” Ransom demands were low—less than $150,000, but the fact a new and virulent threat had been launched onto the market needed to be taken seriously.
On presenting its findings, Check Point said that “the recent Pay2Key ransomware attacks indicate a new threat actor is joining the trend of targeted ransomware attacks—presenting well designed operation to maximize damage and minimize exposure.”
As interesting as that was, it has just become much more so. Check Point has now attributed the Pay2Key attacks to an Iranian threat actor. And this is a major surprise. As the firm’s Lotem Finkelsteen explains, “we usually associate with ransomware operators with Russian speaking hacking groups—this is very uncommon to see it related to Iranian hackers.”
MORE FOR YOU
According to Finkelsteen, “this ransomware operation is sophisticated both technically and strategically.” But, again, that’s not the real takeaway here. First, the obvious. This is an Iranian actor attacking Israeli interests. “We see Iran is working very hard to expand it cyber operation against Israeli entities,” Finkelsteen says, further proof that “the two countries express their aggression mostly through cyberattacks.”
And this wasn’t a fly by night operation. “The fact they leaked vast amount of data from each victim,” Finkelsteen explains, “tells us that they gained a foothold in each company far before the encryption took place.” The rapid-fire attacks were then “probably to avoid analysis of a single attack that will put in danger the success of the rest.”
Check Point expects the Iranian ransomware group to expand their attacks “globally,” there have already been initial reports from Europe. The team “traced Bitcoin wallets found in ransomware notes to an Iranian cryptocurrency exchange requiring a valid Iranian phone number and government ID for user eligibility.”
And this leads to the second point. Iran has been fast expanding its cyber expertise, attacking strategic regional targets on one hand and generating economic returns through widespread attacks on mainstream apps on the other. This latest campaign sits somewhere between the two—it’s fair warning that it has been developing new tools as the world focused on combatting coronavirus, and those new tools are now ready for use.
Ransomware is fast becoming the predominant cyber threat to mainstream organizations worldwide. “We do see a global surge in attacks,” Finkelsteen warns. “In Q3 2020, we saw a 50% increase in the average daily number of ransomware attacks, compared to the first half of the year, with Ryuk and Maze strains doing most damage.”
Now we have a new threat actor added to the mix with a set of dangerous new tools and techniques. And one that has a political agenda as well as the ruthless commercial focus the characterizes such ransomware attacks—why else would hospitals and reach facilities have come under such threat mid-pandemic.
Attribution in cyber is rarely definite—not unless there’s an admission. And so while all the evidence here points to Iran, it would not be entirely shocking if there was more to this. That said, the regional targets would seem to support Check Point’s assertion.
Just before the pandemic came to dominate headlines worldwide, we were debating the implications of the killing of Qassem Suleimani and whether Iran would deploy its preeminent cyber tools against targets including the U.S. and its allies. The conclusion was that it would not, that it would continue its noisy campaigns without provoking a level of retaliation it could not deal with. This campaign, commercial in nature but befitting the ongoing “cyber winter” between Iran and Israel certainly fits the bill.
Meanwhile, ever more organizations at risk from such attacks will be researching the anti-ransomware measures they now need to put in place.
The Link LonkNovember 12, 2020 at 06:00PM
https://www.forbes.com/sites/zakdoffman/2020/11/12/forget-russia-iranian-hackers-behind-malicuous-new-cyber-attacks-warns-new-report/
Forget Russia—Iranian Hackers Behind Malicious New Cyber Attacks, Warns New Report - Forbes
https://news.google.com/search?q=forget&hl=en-US&gl=US&ceid=US:en
No comments:
Post a Comment