A series of destructive cyber attacks targeting Israeli higher education and tech sectors have been ongoing since January 2023. These attacks, attributed to an Iranian nation-state hacking group called Agonizing Serpens, are aimed at deploying previously undocumented wiper malware. The attackers seek to steal sensitive data, including personally identifiable information (PII) and intellectual property.
Once the information is stolen, the attackers deploy various wipers to cover their tracks and render the infected endpoints unusable. The cyberattacks involve the use of three novel wipers: MultiLayer, PartialWasher, and BFG Agonizer. These wipers are designed to delete or corrupt files and even wipe the boot sector, making the system unusable. The threat actors also use a bespoke tool called Sqlextractor to extract information from database servers.
Agonizing Serpens has been linked to wiper attacks targeting Israeli entities and has been active since at least December 2020. The attackers exploit vulnerable internet-facing web servers as initial access routes, deploy web shells, conduct network reconnaissance, and steal administrative credentials. They use a mix of public and custom tools for lateral movement and data exfiltration.
Agonizing Serpens has demonstrated the capability to bypass endpoint detection and response (EDR) and other security measures by rotating between known proof-of-concept (PoC) and penetration testing tools, as well as custom tools.
