Diamond industry big players hit by Iranian APT

A supply chain attack hit firms on three continents

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Major companies in the diamond industry (and a couple of adjacent ones) have been hit by a brand new data wiper courtesy of a known Iran-based advanced persistent threat (APT) group.

Cybersecurity researchers from ESET’s welivesecurityarmhave recently discovered Agrius, a threat actor that initiated a supply chain attack against an Israeli software developer and through it, a number of diamond businesses across three continents.

In aresearch report, ESET said the Israeli firm was targeted by Agrius’ new data wiper, called Fantasy. This wiper is based on Agrius’ previous tool, Apostle, but with notable differences.

Building on Apostle

“The Fantasy wiper is built on the foundations of the previously reported Apostle wiper but does not attempt to masquerade as ransomware, as Apostle originally did,” the company said. “Instead, it goes right to work wiping data. Victims were observed in South Africa – where reconnaissance began several weeks before Fantasy was deployed – Israel and Hong Kong.”

The researchers suspect Agrius targeted the Israeli company’s software update mechanisms, which allowed them to infectendpointsbelonging to its clients - a diamond seller and an HR consulting firm in Israel, a diamond company in South Africa, and a jeweler in Hong Kong.

Iranian hackers blamed for Fortinet and Microsoft Exchange hacks>Phishing attackers are now using multiple email accounts to start group conversations with you>These are the best malware removal tools around

The threat actor sought out known vulnerabilities in internet-facing applications and used the to deploy web shells. That allowed them to maintain persistence on the target networks, move laterally, and ultimately - deliver the malicious payload.

“Since its discovery in 2021, Agrius has been solely focused on destructive operations,” the researchers explained further. “Fantasy is similar in many respects to the previous Agrius wiper, Apostle, that initially masqueraded as ransomware before being rewritten to be actual ransomware.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Fantasy, on the other hand, “makes no effort to disguise itself as ransomware. Agrius operators used a new tool, Sandals, to connect remotely to systems and execute Fantasy.”

Via:Infosecurity Magazine

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Washington state court systems taken offline following cyberattack

Is it still worth using Proton VPN Free?

7 myths about email security everyone should stop believing