As tensions continue to rise in the Middle East, Iran finds itself at the center of geopolitical and internal strife, with Void Manticore leading its cyber warfare efforts. The nation’s economic struggles, compounded by international sanctions, have driven its leadership to leverage cyber warfare as a tool for exerting influence and power. Amidst ongoing protests and civil unrest, Iran’s cyber operations have intensified, targeting both regional adversaries and distant opponents. This backdrop of internal and external pressure sets the stage for the sophisticated cyber campaigns orchestrated by Iranian state-backed threat actors.
Background: Escalating Tensions and Tragic Incident
Adding to the tension, Iranian President Ebrahim Raisi and Foreign Minister Hossein Amirabdollahian recently died in a helicopter crash while crossing mountainous terrain in heavy fog, returning from a visit to the Azerbaijan border. Raisi, known as the “butcher of Tehran” for his role in the mass executions of 1988, was a hardliner who oversaw Iran’s enrichment of uranium to near weapons-grade levels and a major drone-and-missile attack on Israel. Amirabdollahian, closely linked to the Revolutionary Guard, was involved in confrontations with the West and indirect talks with the US over Iran’s nuclear program.
The unexpected deaths of these two powerful leaders have triggered a high-stakes power struggle in Iran and fueled speculations about potential foreign or domestic involvement in the crash. According to a report by The Economist, while Iranian cyber actors have been actively targeting major organizations in Albania and Israel, the possibility of Israeli involvement in the helicopter incident cannot be dismissed.
The Cyber Front: Iranian Retaliation
Amidst these geopolitical tensions, Iranian cyber operations have intensified, targeting Israel and Albania through coordinated efforts by two advanced persistent threat (APT) groups: Scarred Manticore (aka Storm-861) and Void Manticore (aka Storm-842). These groups, linked to Iran’s Ministry of Intelligence and Security (MOIS), exemplify the strategic use of cyber warfare to undermine adversaries.
The Espionage Mastermind: Scarred Manticore
Scarred Manticore is recognized as Iran’s most sophisticated espionage actor. Known for its stealthy operations, the group employs the Liontail malware framework to exfiltrate email data quietly and efficiently over extended periods. This meticulous approach allows Scarred Manticore to gather intelligence from high-value targets without immediate detection.
The Destructive Force: Void Manticore
Void Manticore, on the other hand, is tasked with executing loud and destructive cyberattacks. This group exploits the initial access provided by Scarred Manticore to launch damaging operations. Utilizing basic tools like remote desktop protocol (RDP) for lateral movement and the reGeorg web shell, Void Manticore focuses on destroying organizational data. They operate under fake activist personas, such as Homeland Justice in Albania and Karma in Israel, to conduct hack-and-leak campaigns.
Strategic Coordination: The Manticore Alliance
The synergy between Scarred Manticore and Void Manticore represents a calculated strategy to maximize the impact of Iranian cyber operations. Scarred Manticore conducts the initial espionage, maintaining access and gathering intelligence. When geopolitical events, such as the assassination of the Iranian general, escalate tensions, the collected intelligence is handed over to Void Manticore for destructive exploitation.
Techniques and Procedures
Void Manticore’s methods, although crude, are highly effective. They employ custom wipers to either corrupt specific files or target the partition table, making data inaccessible without deleting it. This approach ensures significant disruption to the targeted organizations.
Challenges in Defense
Defending against these dual threats is challenging. Each group brings distinct tools, infrastructure, and tactics, complicating defensive measures. The swift handoff from espionage to destruction leaves little time for organizations to respond once Void Manticore begins its operations. Sergey Shykevich, threat intelligence group manager at Check Point, stresses the importance of immediate action upon detecting destructive activities.
Preventive Measures
Organizations can adopt measures to mitigate these threats. Competent endpoint security can block Void Manticore’s simpler tactics, while patch management can prevent Scarred Manticore’s initial access by addressing known vulnerabilities like CVE-2019-0604 in Microsoft SharePoint.
Conclusion
The dual-pronged cyber threats from Scarred Manticore and Void Manticore highlight the evolving landscape of cyber warfare between Iran and Israel. These operations underscore the need for robust cybersecurity measures and rapid response strategies. As geopolitical tensions continue to drive cyber conflicts, organizations must remain vigilant to safeguard against these sophisticated and coordinated threats. The deaths of President Ebrahim Raisi and Foreign Minister Hossein Amirabdollahian add another layer of complexity to an already volatile situation, further emphasizing the critical importance of cybersecurity in this high-stakes environment.
