An Iranian state-backed hacking group recently infiltrated a company that makes academic administration software and used that access to intimidate other Israeli organizations, analysts said on Thursday.
The overall goal of the operation appeared to be hacktivism and not necessarily financial gain, according to OP Innovate, the Israeli company that investigated the incident.
In November, the attackers breached Rashim Software and then appeared to use credentials obtained in that incident to “infiltrate several of the company’s clients, including numerous academic institutes,” OP Innovate said.
Israeli cybersecurity companies have been closely monitoring Iranian state-backed hackers since the country’s war in Gaza began in October 2023. Iran is a supporter of the Palestinian group Hamas.
OP Innovate is calling the group Lord Nemesis, given some of its graphic design choices.
“From their dramatic website, which features a sinister-looking dark lord, to their modus operandi, which involves silently infiltrating networks, exfiltrating data, and gradually releasing their findings to the global web, the group’s actions are calculated to maximize the psychological impact on their victims,” OP Innovate said.
Lord Nemesis overlaps with a previously identified group that other cybersecurity companies track as Nemesis Kitten, OP Innovate said. It’s one of several names given to Tehran-backed operations, including Cobalt Mirage, APT35 and Charming Kitten. The U.S. government referenced those and others in announcing sanctions and legal actions in 2022 against operations connected with Iran’s Islamic Revolutionary Guard Corps.
OP Innovate’s report does not specify how the attackers initially breached Rashim Software. But the intruders were able to expand to Rashim’s clients by circumventing the multi-factor authentication that the company provided them through Office365 emails, OP Innovate said.
As recently as March 4, the hackers were still reaching out to victims.
“Lord Nemesis, in an unusual move for a hacktivist group, provided an accurate description of the attack in an online post,” OP Innovate said. “This demonstrates their direct involvement and desire for public attribution, setting this incident apart from financially-motivated attacks typically carried out by cybercriminals.”
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Joe Warminsky
is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.
