In a recent revelation, the cybersecurity firm ESET disclosed that Iranian hackers have successfully breached the networks of approximately 32 Israeli companies. This cyber intrusion also extended to businesses in Brazil and the United Arab Emirates. While the specific names of the affected companies remain undisclosed, it is known that they span various industries, including insurance, healthcare, manufacturing, telecommunications, IT, technology, retail, automotive, legal, financial services, architecture, and civil engineering.
The group responsible for this cyber campaign has been identified as “Ballistic Bobcat,” operating under various aliases such as “Charming Kitten,” “TA543,” “PHOSPHORUS,” and APT35/42. While their primary objective is cyber espionage, Ballistic Bobcat has also been involved in data theft and ransom attacks. Intriguingly, ESET’s findings suggest that other unauthorized entities gained access to the compromised networks, affecting at least 16 companies, although specific details regarding these secondary attackers remain undisclosed.
ESET researcher Adam Berger, who uncovered the backdoor known as “Sponsor” and analyzed the group’s latest cyber attack campaign, advises users to promptly install up-to-date security patches on all devices connected to the Internet. Additionally, organizations should remain vigilant for unexpected applications within their infrastructure. The “Sponsor” backdoor is particularly cunning, as it employs configuration files that discreetly run as batch files, designed to mimic legitimate processes, thus evading detection by security scans.
The Ballistic Bobcat group initiated the use of this backdoor in September 2021. During the height of the COVID-19 pandemic, their targets included organizations involved in pandemic-related activities, such as the World Health Organization (WHO) and medical research institutions. Speculation surrounds the motive behind these attacks, suggesting they may have aimed to share information with Iranian authorities concerning global disease management and vaccine development at the time.
Further investigation by researchers uncovered that the hackers exploited a known vulnerability in Microsoft’s Exchange email servers in at least 23 of the 34 documented attacks. Microsoft had already released a software update to address this vulnerability, suggesting that victims failed to update their systems in a timely manner, thus enabling the hackers to breach their defenses.
Remarkably, these cyberattacks were not part of a meticulously targeted campaign. Rather, the hackers employed scanning tools to identify vulnerabilities and opportunistically infiltrated the networks they discovered. It is worth noting that Iranian hacking groups regularly target Israeli entities, perpetually probing for weaknesses in corporate, government, and military networks. Additionally, Russian, North Korean, Syrian, and Turkish cyberattack groups also operate within Israel, primarily driven by criminal motives rather than political-strategic ones. Nevertheless, a successful breach of Israeli systems could have political repercussions.
Israel and Iran have been conducting covert cyber warfare for several years. Iranian activities have been detected in various cases, including the disruption of the Hillel Yaffe Hospital, infiltration into defense firms’ networks, municipalities, national infrastructures, and government organizations. These operations serve different purposes, ranging from intelligence gathering to disrupting activities or planting trojan programs for future exploitation. The ultimate impact of the recently identified campaign remains unclear, leaving questions about its success and potential future actions.