|
| Storm-0842 Karma Homeland Justice |
| |
| |
| State-sponsored Threat Group |
| |
| Scarred Manticore Havoc Manticore |
| |
| |
Overview
Void Manticore is an Iranian threat actor group affiliated with the Ministry of Intelligence and Security (MOIS). The group first emerged in October 2023 and quickly gained notoriety for its destructive cyber operations. Void Manticore is known for executing high-impact, disruptive attacks primarily targeting organizations in Israel. The group’s activities are characterized by a combination of data-wiping attacks and information leaks, aimed at both causing operational disruption and advancing political motives.
The group operates under various online personas, including “Karma” and “Homeland Justice,” to execute and publicize their attacks. These personas are used to leverage political tensions and amplify the impact of their cyber operations. “Karma” is notably linked to attacks in Israel, employing a custom wiper called the BiBi wiper, which is named after Israeli Prime Minister Benjamin Netanyahu. In contrast, “Homeland Justice” is associated with attacks in Albania, using similar tactics and tools.
Void Manticore’s operational tactics include sophisticated handoffs with other threat groups, particularly Scarred Manticore. This coordination involves transferring access and targets between the two groups, with Scarred Manticore typically handling initial access and data exfiltration, while Void Manticore focuses on destructive activities. The handoff process is marked by a shift from advanced to more basic tools, with Void Manticore deploying custom wipers and manual data destruction methods.
The group employs a range of wipers and tools to achieve their goals. Their arsenal includes custom-built wipers for both Windows and Linux systems, which target specific files and partitions to render data inaccessible. The group’s techniques are relatively straightforward, involving the manual deployment of wipers and the use of tools like Remote Desktop Protocol (RDP) for lateral movement within compromised networks. Void Manticore’s operations are designed to maximize damage and disrupt critical infrastructure, demonstrating a high level of coordination and strategic planning.
Common targets
Israeli Organizations: The group has been notably active against Israeli entities, particularly in the context of the ongoing Israel-Hamas conflict. Their attacks in Israel often involve destructive operations using custom wipers like the BiBi wiper, named after Israeli Prime Minister Benjamin Netanyahu. These attacks aim to disrupt operations and cause significant data loss.
Albanian Entities: Void Manticore has also targeted organizations in Albania. Their activities here have included using politically charged messaging and executing destructive attacks. The group’s attacks in Albania often involve a similar pattern of initial data exfiltration by Scarred Manticore, followed by destructive operations by Void Manticore.
High-Value Targets: Both in Israel and Albania, Void Manticore focuses on high-value targets, including government agencies, financial institutions, and other critical infrastructure. Their operations are designed to maximize impact and send political messages.
Organizations with Existing Compromises: There is evidence that Void Manticore sometimes takes over networks previously compromised by other threat actors, such as Scarred Manticore. This strategy allows them to leverage existing access and target organizations more effectively.
Attack Vectors
Spear Phishing
Exploiting Vulnerabilities
Remote Desktop Protocol (RDP) Abuse
Malicious Software Downloads
Credential Dumping
Web Application Exploitation
How they operate
Void Manticore, an Iranian threat actor linked to the Ministry of Intelligence and Security (MOIS), has emerged as a formidable player in the realm of cyber warfare. Since its inception in 2022, this group has executed a series of high-profile attacks characterized by their destructive nature and psychological impact. Specializing in wipers and ransomware, Void Manticore’s operations are not just about causing damage but also about leveraging cyber-attacks to influence and intimidate its targets.
The group’s modus operandi is marked by a combination of sophisticated and rudimentary techniques designed to achieve their objectives. The primary method involves the deployment of custom wipers such as the BiBi Wiper, which targets both Windows and Linux systems. These wipers are engineered to either corrupt files directly or obliterate partition tables, rendering data inaccessible and causing significant operational disruption. The BiBi Wiper, named derisively after Israeli Prime Minister Benjamin Netanyahu, has been used extensively in attacks against Israeli organizations, highlighting the group’s focus on politically charged targets.
Void Manticore’s attack strategies also include manual data destruction activities using legitimate tools like Windows File Explorer, SysInternals SDelete, and the Windows Format Utility. These methods are employed to ensure thorough data eradication, often complementing automated wiper attacks. In addition to these destructive techniques, the group utilizes Remote Desktop Protocol (RDP) abuse and credential dumping to gain and maintain unauthorized access to victim networks.
The group’s operations are further distinguished by their collaborative efforts with other threat actors, particularly Scarred Manticore. Evidence suggests a systematic “handoff” procedure where Scarred Manticore, a more sophisticated actor, first infiltrates a target network and then transfers access to Void Manticore. This collaboration allows Void Manticore to leverage advanced capabilities and access high-value targets, facilitating more impactful and targeted attacks. The synergy between these groups underscores a well-coordinated strategy to maximize the damage inflicted on their victims.
Void Manticore employs a blend of bespoke and publicly available software. Key tools include the Karma Shell, a custom web shell used for lateral movement and network reconnaissance, and various partition wipers like JustMBR and Pinky. These tools are designed to cause maximum disruption and ensure that compromised data remains irretrievable. The group’s reliance on both custom and off-the-shelf tools reflects a pragmatic approach to cyber-attacks, balancing sophistication with accessibility.
The attacks carried out by Void Manticore have had a profound impact on their targets, particularly in Israel and Albania. By combining destructive attacks with psychological operations, the group not only causes operational damage but also aims to create a climate of fear and uncertainty. Their use of politically charged messaging, such as the symbolism in the BiBi Wiper, indicates a strategic intent to amplify the political and psychological effects of their cyber operations.
MITRE Tactics and Techniques
T1071.001 – Application Layer Protocol: Web Protocols
T1133 – External Remote Services: External Remote Services
T1071.003 – Application Layer Protocol: Web Protocols
T1105 – Ingress Tool Transfer: Ingress Tool Transfer
T1203 – Exploitation for Client Execution: Exploitation for Client Execution
T1075 – Pass the Hash: Pass the Hash
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1021.001 – Remote Services: Remote Desktop Protocol
T1072 – Application Layer Protocol: Application Layer Protocol
T1555 – Credentials from Password Stores: Credentials from Password Stores
T1566.001 – Phishing: Spearphishing Attachment
Impact / Significant Attacks
Israeli Cyberattacks (2022-2024): Void Manticore has targeted various organizations in Israel, leveraging wipers like the BiBi Wiper to inflict damage. These attacks have caused operational disruptions and are believed to be politically motivated, aimed at undermining Israeli entities.
Albanian Government Attack (2022): The group conducted a major cyberattack against the Albanian government, leading to significant data breaches and disruptions. This attack was notable for its scale and impact, demonstrating Void Manticore’s capability to target and disrupt governmental operations.
Operation Shaheen (2023): This operation involved a sophisticated campaign that combined wiper attacks with ransomware, targeting critical infrastructure and private sector organizations in various countries. The operation showcased Void Manticore’s ability to blend different attack methods for maximum effect.
Lebanese Financial Sector Attacks (2024): The group targeted Lebanese financial institutions, employing custom wipers and credential dumping techniques to disrupt operations and steal sensitive data. This campaign highlighted the group’s focus on destabilizing financial systems.
U.S. Cyberattacks (2024): Void Manticore has also been linked to attacks on U.S. organizations, including both government and private sector targets. These attacks involved sophisticated phishing campaigns and the deployment of wipers to cause data destruction and operational chaos.
References:
