Iranian state-backed threat actors have been actively involved in spying on and carrying out destructive operations against major organizations in Albania and Israel.
One of the most sophisticated espionage actors linked to Iran’s Ministry of Intelligence and Security (MOIS) is Scarred Manticore, also known as Storm-861. This group has been conducting surveillance on high-value targets across the Middle East and beyond with great effectiveness. In a bold move, another MOIS advanced persistent threat (APT) known as Void Manticore, or Storm-842, has been capitalizing on Scarred Manticore’s initial access to launch its own destructive campaigns.
Void Manticore has reportedly targeted over 40 Israeli organizations and carried out high-profile campaigns in Albania as well. The collaboration between these two threat actors, as described in a blog post by Check Point Research, is strategic and leverages each group’s strengths. Scarred Manticore specializes in discreet spying using its Liontail malware framework for email data exfiltration over extended periods. On the other hand, Void Manticore is more aggressive, using hacktivist personas like Homeland Justice and Karma for its operations in Albania and Israel, respectively.
Void Manticore’s tactics include using basic tools like remote desktop protocol (RDP) for lateral movement and the reGeorg Web shell to infiltrate an organization’s files before causing havoc. The group also possesses custom wipers designed to corrupt specific files or target the partition table, rendering data on the disk inaccessible.
Defending against two distinct threat actors with varying tools, infrastructure, and techniques can pose a challenge for targeted organizations. In light of this new phenomenon, experts suggest focusing on the more sophisticated threat actor, Scarred Manticore, due to the extended timeline of espionage campaigns compared to destructive ones. Organizations are advised to act swiftly upon detecting the presence of the destructive actor, as they tend to move quickly once granted network access.
Simple defenses, such as robust endpoint security, can help block Void Manticore’s straightforward tactics. Additionally, early intervention to prevent Scarred Manticore’s attacks, which often exploit known vulnerabilities like CVE-2019-0604 in Microsoft Sharepoint, can thwart their espionage efforts. Preventative measures can significantly reduce the risk posed by these Iranian state-backed threat actors.
As the cybersecurity landscape continues to evolve, organizations must remain vigilant and proactively implement defense strategies to safeguard against sophisticated threat actors like Scarred Manticore and Void Manticore. By staying informed and adopting best practices in cybersecurity, companies can mitigate the potential impact of malicious activities orchestrated by state-sponsored adversaries.