Report: Criminal cyber actions are used to cover Iranian strategic operations against Israel

The SentinelOne report names hacker group Agrius as an Iranian agent. Sources said this group was behind the Shirbit and the KLS attacks

Raphael Kahan 11:5926.05.21

A new study from Israeli company SentinelOne is claiming that an Iranian hacker group, operating under the Iranian government, is behind numerous cyber attacks against a variety of Israeli targets in recent years.


Israeli companies were the targets of countless attacks attributed to Iranian hackers in recent years, but so far it had not been clear what the motivation was behind these actions. Some studies referred to the attacks as criminal assaults, while others saw them as strategic actions. So far, the assumption was that Iranian hacker groups operate mainly with criminal motives rather than strategic ones.


Amitai Ben Shushan Ehrlich Photo: SentinalOne Amitai Ben Shushan Ehrlich Photo: SentinalOne
According to researcher Amitai Ben Shushan Ehrlich, this specific group, named Agrius, has been operating in Israel since the beginning of 2020. While SentinelOne is very careful when discussing the group, the company assesses with “medium confidence” that this group is of Iranian origin, “engaged in both espionage and disruptive activity.” Furthermore, according to information obtained by Calcalist from other sources in the industry, this group was behind the attacks on Shirbit and the KLS Capital.


While in its report, SentinelOne admits “it is hard to provide a definitive attribution for Agrius,” it does state that “a set of indications pointing the activity towards an Iranian nexus came up throughout the investigation.”


The report goes on to state that Agrius’ actions, as in past attacks by Iranian hackers, seem to be correlated with Iranian interests. It also states that some of Agrius’ tools in the attack were uploaded from Iran and other Middle East countries and that some of the attack’s infrastructure was hosted on servers "that have also resolved to Iranian domains in the past.”


The report also touched on the “usage of the DEADWOOD wiper,” an Iranian-made tool, writing “Agrius utilized the DEADWOOD wiper, which was previously attributed to an Iranian-nexus actor,” and while “the ties between Agrius and the threat actor who originally deployed DEADWOOD remain unclear, it’s possible that the two groups have access to shared resources.”


The report concludes that “it’s unlikely that Agrius is a financially motivated threat actor,” while also pointing to the timing of the attacks and to a potentially greater Iranian move. “Early May 2021 saw another set of disruptive ransomware attacks attributed to Iran targeting Israel from the n3tw0rm ransomware group, a newly-identified threat actor with links to the 2020 Pay2Key attacks. The close proximity of the Agrius and n3tw0rm campaigns suggest they may be part of a larger, coordinated Iranian strategy.”


Hacker illustration Photo: Getty Images Hacker illustration Photo: Getty Images
Iranian cyber operations are intended to hurt their targets on a number of levels: criminal, mental, and strategic. At the criminal level, the hackers’ goal is financial; On the mental level, they create panic and expose the weaknesses by extorting Israeli organizations and creating bad publicity. At the strategic level, the infiltration into Israeli organizations yields valuable information for the Iranians.


And yet, the people behind the report do not see the group as being very advanced. "We have seen very wide access attempts to a variety of destinations in the country. The group seems to be working according to a ‘take what you can get’ method as it tries to infiltrate dozens of organizations using publicly available tools," says Ben Shushan Ehrlich. "The group knows how to use its resources well. According to the activities, fairly basic protection measures such as managing software updates and cyber tools that will protect computers can be a significant obstacle to their activities," he said.