Iran's Military Reportedly Backs Ransomware CampaignCould Cyberespionage Be Campaign's Real Purpose?
Iran's Islamic Revolutionary Guard Corps was behind a ransomware campaign that used a contracting company called "Emen Net Pasargard," or ENP, to target over a dozen organizations, according to three leaked intelligence documents assessed by the security firm Flashpoint.
Based on its analysis of documents leaked by the Iranian dissident group “Lab Dookhtegan,” Flashpoint says this ENP attack campaign, dubbed "Project Signal," began with research conducted between July and September 2020.
"A leaked internal ENP spreadsheet showed that during this time, the group was researching three to four websites per day, and that at the time the spreadsheet was written, around 20 sites had been reviewed and analyzed by ENP’s internal research organization, the Studies Center," the report notes.
Another leaked spreadsheet revealed the ransomware campaign was launched at the end of October 2020, Flashpoint says.
ENP provides cyber capabilities to Iran’s armed forces - the Islamic Revolutionary Guard Corps; one of its subsidiaries, IRGC Quds Force; and Iran’s Ministry of Intelligence and Security, according to the report.
The leaked documents Flashpoint analyzed also contained best practices for conducting the ransomware campaign, the report notes.
A spreadsheet listed steps for receiving bitcoin payments from ransomware victims and also outlined decryption steps. "Based on these two factors - that ENP was likely accepting victim bitcoin payments and following through to decrypt victim accounts upon payment - it appears that, at least on the surface, ENP’s Project Signal ransomware operation was financially motivated," the report notes.
Disguising Military Activity?
Flashpoint’s report notes, however, that inclusion of financial payment steps may be a ploy to mimic the tactics, techniques and procedures of other financially motivated cybercriminal ransomware groups in an attempt to disguise the Iranian military's involvement in cyberespionage.
"Other Iranian APT groups use similar techniques to blend in with the cybercriminal threat landscape," the report states. "For example, APT33 is known to use publicly available remote access Trojans, like Nanocore, to blend in with normal cybercriminal activity and avoid the attribution which typically comes from the implementation of custom malware."
Links to Pay2Key
The timing of the campaign also coincides with the Pay2Key ransomware campaign that has targeted Israeli firms, Flashpoint points out.
But because Flashpoint was unable to pinpoint Project Signal's victims, it could not confirm the direct link between ENP and Pay2Key.
Check Point Research first identified Pay2Key in October after the strain targeted several Israeli organizations, demanding ransoms of nine bitcoins, or about $140,000 (see: Pay2Key Ransomware Hits Israeli Targets).
Lotem Finkelstein, head of cyber intelligence at Check Point Research, referring to the company's investigation of Pay2Key, told Israeli newspaper Haaretz that ransomware groups can have aims that are other than financial: “With the Pay2Key ransomware, an unknown Iranian group of hackers attacked mainly Israeli companies with cutting-edge ransomware. While doing everything they could to collect the ransom, the geopolitical characteristics [of the attack] also suggest the hackers were also ideologically driven.”
The Check Point analysis notes: "Analyzing Pay2Key ransomware operation, we were unable to correlate it to any other existing ransomware strain, and it appears to be developed from scratch. Several versions of this crypto-locking malware have already been spotted in the wild, which means that it's likely still under development."
In December 2020, security firm ClearSky concluded that Pay2Key is linked to Fox Kitten, an Iranian threat group (see: Pay2Key Ransomware Campaign Tied to Iran).