ESET, a prominent cybersecurity company, has firmly denied any involvement in a recent wiper campaign targeting victims in Israel. The campaign, which appeared to be orchestrated using ESET’s infrastructure, was brought to light by infosec researcher Kevin Beaumont. Beaumont outlined a scenario where an Israeli business fell victim to a wiper attack after an employee clicked on a link in an email that appeared to be from ESET’s Advanced Threat Defense Team in Israel. Despite the email passing DKIM and SPF checks against ESET’s domain, Google Workspace flagged it as malicious.
The initial email, which was distributed on October 8, specifically targeted cybersecurity professionals in Israel and contained a .ZIP file hosted on ESET servers. Recipients were informed that their devices were being targeted by a “state-backed threat actor” and were invited to join ESET’s Unleashed program, a program that Beaumont noted may not exist as a standalone initiative but is sometimes referenced by the vendor. The malicious download included various ESET DLLs and a fake ransomware setup.exe, which made calls to known ransomware payloads.
Interestingly, the wiper attack coincided with the Iron Swords War memorial day, which commemorates lives lost when Hamas troops attacked Israel on October 7, 2023. This timing, along with the targets being cybersecurity professionals in Israel, has raised suspicions of possible hacktivist motives behind the campaign.
Beaumont emphasized the severity of the attack, stating that there seems to be no way to recover from it as it is a wiper, designed to irreversibly wipe data. However, ESET quickly responded to the situation, refuting claims that their Israel branch had been compromised. The company asserted that they had promptly blocked a limited malicious email campaign within ten minutes and that their technology was effectively protecting customers from the threat.
The source of the malicious activity remains unknown, but the tactics used in the attack align closely with previous actions attributed to the pro-Palestine Handala group. Trellix researchers previously highlighted Handala’s history of wiper attacks in Israel, with the group targeting numerous Israeli organizations in recent months. The Israeli government issued an urgent warning in response to the incidents, which have now escalated to the leaking of private files and emails from prominent Israeli figures.
Recent victims of Handala’s activities include Doscast, Soreq Nuclear Research Center, Max Shop, and Silver Shadow. These ongoing cyberattacks underscore the importance of robust cybersecurity measures to defend against evolving threats in the digital landscape. ESET continues to monitor the situation closely and collaborate with their partners to investigate further.