Iran-linked ‘Lord Nemesis’ group appears intent on intimidating Israeli organizations, report says

Avatar

An Iranian state-backed hacking group recently infiltrated a company that makes academic administration software and used that access to intimidate other Israeli organizations, analysts said on Thursday.

The overall goal of the operation appeared to be hacktivism and not necessarily financial gain, according to OP Innovate, the Israeli company that investigated the incident.

In November, the attackers breached Rashim Software and then appeared to use credentials obtained in that incident to “infiltrate several of the company’s clients, including numerous academic institutes,” OP Innovate said.

Israeli cybersecurity companies have been closely monitoring Iranian state-backed hackers since the country’s war in Gaza began in October 2023. Iran is a supporter of the Palestinian group Hamas.

OP Innovate is calling the group Lord Nemesis, given some of its graphic design choices.

“From their dramatic website, which features a sinister-looking dark lord, to their modus operandi, which involves silently infiltrating networks, exfiltrating data, and gradually releasing their findings to the global web, the group’s actions are calculated to maximize the psychological impact on their victims,” OP Innovate said.

Lord Nemesis overlaps with a previously identified group that other cybersecurity companies track as Nemesis Kitten, OP Innovate said. It’s one of several names given to Tehran-backed operations, including Cobalt Mirage, APT35 and Charming Kitten. The U.S. government referenced those and others in announcing sanctions and legal actions in 2022 against operations connected with Iran’s Islamic Revolutionary Guard Corps.

OP Innovate’s report does not specify how the attackers initially breached Rashim Software. But the intruders were able to expand to Rashim’s clients by circumventing the multi-factor authentication that the company provided them through Office365 emails, OP Innovate said.

As recently as March 4, the hackers were still reaching out to victims.

“Lord Nemesis, in an unusual move for a hacktivist group, provided an accurate description of the attack in an online post,” OP Innovate said. “This demonstrates their direct involvement and desire for public attribution, setting this incident apart from financially-motivated attacks typically carried out by cybercriminals.”

CybercrimeNewsNews Briefs
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Stormous ransomware gang takes credit for attack on Belgian brewer Duvel

Next Post

Russian influence operations against Baltic states and Poland having ‘significant impact’ on society

Related Posts

Warning: New Ivanti Auth Bypass Flaw Affects Connect Secure and ZTA Gateways

Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication. The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system. "An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti
Jason Macuray
Read More