Flag of Israel flying over city showing ransomware gang cyber attack

Suspected Iranian Ransomware Gang N3tw0rm Starts Another Cyber Attack Wave Against Israel

Israel media reports that the state is experiencing a new cyber attack wave related to ideological hacktivism motivated by geopolitics.

The new wave of attacks reignited six months after the last resurgence that targeted more than 80 Israeli companies.

Experts attribute the current cyber campaign to Iranian hackers, some masquerading as Russian ransomware gangs. The same threat actors were believed to be responsible for the last cyber campaign against Israel.

Iranian ransomware gang threatens to release data from Israeli firms

Four Israeli companies and one nonprofit organization were breached in this wave attributed to an Iranian ransomware gang N3tw0rm (Networm).

Haaretz reported that the cybercriminals added H&M Israel and Veritas Logistics logos on their data leak site, which they use to threaten to leak stolen files.

The hackers threatened to leak stolen data estimated to be about 110GB from H&M and 9GB from Veritas.

Subsequently, they demanded three Bitcoins worth about US$170,000 at the time from Veritas. Another ransomware demand was four Bitcoins valued at approximately US$231,000.

Cyber attack wave linked to Iranian cyberwarfare motivated by geopolitics

Cybersecurity expert Shay Pinsker from OP Innovate told Haaretz that Networm’s cyber attack wave resembled Pay2Key attacks that targeted Israel during the last campaign. The hacking group is associated with Iranian state-backed threat actor Fox Kitten.

Pay2Key was accused of the hacking of Israel Aerospace Industries and an Israeli cybersecurity firm Portnox, according to the Times of Israel.

A private message shared between Israeli security researchers between November 2020 and February 2021 also made a similar suggestion.

Pinsker also noted that the ransomware gang was an Iranian hacking group pretending to be a Russian ransomware gang to cover its tracks. He also posited that the cyber attack barrage appeared politically motivated because the ransomware gang did not intend to release the data.

Additionally, the ransom demands in each cyber attack were strikingly lower compared with other corporate victims.

The cybersecurity expert believed that the hacking group’s participation in negotiations was a pretext to buy more time to conceal its activities.

Politically motivated cyber attacks merge cybercrime with cyberespionage. Experts believe that cyber attacks against Israel are intended to undermine its economic power in response to various developments in the Middle East.

Executing cyber attacks against Israel was a safer retaliation method for Iran following recent events in the turbulent region.

N3tW0rm implements a client-server model that saves encryption keys on the victim’s server

Unlike other threat actors distributing a standalone ransomware executable, the Networm ransomware gang implements a client-server model after penetrating the network.

BleepingComputer reported that once the hackers successfully breached a victim’s network, they installed malware on the server that would listen for connections from other workstations. They use PAExec to execute the client (“slave.exe”) on the workstations and start encrypting files. The slave copies evasion tactics from the open-source Al-khaser, according to Minerva Labs CEO Eddy Bobritsky.

“The malware tries to create a file with illegal characters, an operation that should fail on a genuine operating system, but not in emulators used by anti-viruses,” Bobritsky adds.

The tech website also noted that the infected server stores the encryption keys on a file while encrypting a network. This strategy minimizes communication with the command-and-control server thus concealing its malicious activity.

When the process completes, the encrypted files have the ‘.n3tw0rm’ file extension. However, the victims could recover their files if the process fails to remove the keys.

Bobritsky noted that the current wave of cyber attacks against Israeli companies created a shockwave in the country’s cybersecurity landscape.