Security Experts:

Connect with us

Hi, what are you looking for?



New Iranian Group ‘Agrius’ Launches Destructive Cyberattacks on Israeli Targets

Over the past year, an Iran-linked threat actor named Agrius has been observed launching destructive attacks on Israeli targets, under the disguise of ransomware attacks, according to endpoint security company SentinelOne.

Over the past year, an Iran-linked threat actor named Agrius has been observed launching destructive attacks on Israeli targets, under the disguise of ransomware attacks, according to endpoint security company SentinelOne.

Likely state-sponsored, the threat group initially engaged in cyberespionage attacks, but then attempted to extort victims, claiming to have exfiltrated and encrypted data. The recovery of the impacted files, however, was not possible, due to the destructive nature of the attack.

Dubbed Apostle, the wiper used in these attacks was later updated with encryption capabilities, becoming a fully-functional piece of ransomware.

“The similarity to its wiper version, as well as the nature of the target in the context of regional disputes, leads us to believe that the operators behind it are utilizing ransomware for its disruptive capabilities,” SentinelOne says.

Vulnerabilities in Internet-facing applications are leveraged for intrusion, including CVE-2018-13379, a high-severity path traversal vulnerability in the FortiOS SSL VPN web portal, and various security bugs in other web-based applications.

Agrius, the researchers say, uses VPN services to connect to victims’ environments, and employs webshells (mainly variations of ASPXSpy) to tunnel RDP traffic and exploit compromised accounts for lateral movement.

The attackers also employ publicly available tools to harvest credentials and expand their foothold into the compromised environment. They also deploy their own .NET backdoor dubbed IPsec Helper onto targets of interest, to steal data and deploy more payloads when necessary.

In addition to Apostle, the threat group was observed using a wiper called DEADWOOD, which was previously used in an attack against a target in Saudi Arabia in 2019. Most of the adversary’s targets, however, are from Israel, and are likely chosen opportunistically, SentinelOne researchers believe.

Apostle shares code similarities with IPsec Helper, likely because they are both developed in-house. An initial version of the malware contained only wiping capabilities, but failed to perform the action as expected, which led to the deployment of the DEADWOOD wiper.

This year, the threat actor came up with a second variant of Apostle, which features ransomware capabilities, but employs the old wiping method for deleting the original files after encryption.

During their investigation, SentinelOne researchers did not find links between Agrius’ techniques, tools, and infrastructure and known threat actors, but did identify evidence suggesting the adversary operates out of Iran.

“Agrius is a new threat group that we assess with medium confidence to be of Iranian origin, engaged in both espionage and disruptive activity. The group leverages its own custom toolset, as well as publicly available offensive security tools, to target a variety of organizations in the Middle East,” SentinelOne notes.

The researchers also point out that the group might be part of a larger, coordinated Iranian strategy that also includes the recently disclosed Pay2Key attacks. However, the destructive nature of Agrius’ attacks, which continued into May 2021, suggests that the group is not financially motivated.

Related: Iran Used Fake Instagram Accounts to Try to Nab Israelis: Spy Agencies

Related: Iran Blames Israel for Sabotage at Natanz Nuclear Site

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona