Many-faced Iranian hackers stir destruction in Albania and Israel

Destructive wiping attacks, coupled with influence operations targeting Israel, Albania, and other countries, were conducted by an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS). Check Point Research shed light on some of its tactics.

Dubbed Void Manticore, the Iranian threat actor adopts various online personas for its operation in different countries. The most prominent ones are “Homeland Justice” for attacks in Albania and “Karma” for operations against Israel.

Void Manticore targets different regions with tailored attacks, and its efforts overlap with those of threat actor Scarred Manticore, suggesting coordination and systematic victim targeting in MOIS.

Check Point researchers warn that Void Manticore emerges as a significant threat “to anyone who opposes Iranian interests,” utilizing a complex web of online personas, strategic collaborations, and sophisticated attack methodologies.

The threat actor is notorious for its dual approach to cyberattacks, combining actual data destruction with psychological warfare.

“Utilizing five distinct methods, including custom wipers for Windows and Linux, Void Manticore disrupts operations through file deletion and shared drive manipulation,” Check Point researchers said.

Manticore, after which the threat actors are named, is a Persian legendary creature similar to the Egyptian sphinx.

Specializes in “the destructive phase”

The researchers analyzed the systematic handoff of targets between the two cybergangs. Scarred Manticore seems to be responsible for the initial access and data exfiltration from targeted networks. Then, it transitions the victim’s control to Void Manticore to execute “the destructive phase of the operation.” This amplifies the scale and impact of the attacks.

The overlaps were observed in attacks against Israel in 2023-2024 and Albania in 2022.

“Void Manticore’s tactics are relatively straightforward yet effective. They often utilize basic, publicly available tools to establish access to target networks. Once inside, they deploy custom wipers for both Windows and Linux systems, targeting critical files and partition tables to render data inaccessible. Additionally, the group engages in manual data destruction activities, further amplifying the impact of their attacks,” the report explains.

The hackers employ a range of custom wipers, serving varying purposes. Some target specific files, file types, or applications to selectively erase critical information, while others corrupt the system’s partition table, leaving data inaccessible.

The group’s utilized CI Wiper was first deployed in an attack against Albania in July 2022, alongside partition wipers like the LowEraser, used in attacks against entities in Albania and Israel.

“Their most recent attacks saw the deployment of the BiBi Wiper, named after Israel’s Prime Minister Benjamin Netanyahu, which exists in both Linux and Windows variants, employing sophisticated techniques to corrupt files and disrupt system functionality,” researchers said.