Diamond industry big players hit by Iranian APT

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

Major companies in the diamond industry (and a couple of adjacent ones) have been hit by a brand new data wiper courtesy of a known Iran-based advanced persistent threat (APT) group. 

Cybersecurity researchers from ESET’s welivesecurity arm have recently discovered Agrius, a threat actor that initiated a supply chain attack against an Israeli software developer and through it, a number of diamond businesses across three continents.

In a research report, ESET said the Israeli firm was targeted by Agrius’ new data wiper, called Fantasy. This wiper is based on Agrius’ previous tool, Apostle, but with notable differences.

Building on Apostle

“The Fantasy wiper is built on the foundations of the previously reported Apostle wiper but does not attempt to masquerade as ransomware, as Apostle originally did,” the company said. “Instead, it goes right to work wiping data. Victims were observed in South Africa – where reconnaissance began several weeks before Fantasy was deployed – Israel and Hong Kong.”

The researchers suspect Agrius targeted the Israeli company’s software update mechanisms, which allowed them to infect endpoints belonging to its clients - a diamond seller and an HR consulting firm in Israel, a diamond company in South Africa, and a jeweler in Hong Kong. 

The threat actor sought out known vulnerabilities in internet-facing applications and used the to deploy web shells. That allowed them to maintain persistence on the target networks, move laterally, and ultimately - deliver the malicious payload.

“Since its discovery in 2021, Agrius has been solely focused on destructive operations,” the researchers explained further. “Fantasy is similar in many respects to the previous Agrius wiper, Apostle, that initially masqueraded as ransomware before being rewritten to be actual ransomware.”

Fantasy, on the other hand, “makes no effort to disguise itself as ransomware. Agrius operators used a new tool, Sandals, to connect remotely to systems and execute Fantasy.”

Via: Infosecurity Magazine

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.