State-Sponsored Successor to “Project Signal” Ransomware Campaign Discovered
Iranian state-sponsored attackers have been linked to a variety of cyberespionage activities aimed at organizations all over the world. Flashpoint security experts recently discovered another ransomware strain from Iran, that has been operating since July 2020.
According to Flashpoint, Iran’s Islamic Revolutionary Guard Corps (IRGC) was running a ransomware campaign through Emen Net Pasargard, an Iranian contracting firm (ENP). The ransomware campaign known as “Project Signal” is thought to have started between late July and early September 2020, with ENP’s internal analysis team putting together a list of unspecified target websites.
“Iran has a history of attempting to use cybercriminal TTPs to blend in with non-state-sponsored malicious cyber activity to avoid attribution and maintain plausible deniability. It’s largely assumed that Iran has been behind multiple destructive and disruptive attacks in recent years; most notably the 2012 Shamoon attacks against Saudi Aramco and the 2012 Operational Ababil DDoS attacks against the U.S. financial institutions,” Flashpoint said.
Leaked documents reveal magnitude of operation
Three documents leaked between March 19 and April 1, 2021, which revealed that the IRGC was running a ransomware campaign sponsored by the state through ENP, were validated by Flashpoint researchers (also known as Imannet Pasargad, Iliant Gostar Iranian, and Eeleyanet Gostar Iranian).
A leaked internal ENP spreadsheet revealed that the group was studying three to four websites per day during this period, and that the Studies Center had checked and analyzed about twenty pages at the time the spreadsheet was published. Another spreadsheet showed that Project Signal had been allocated to ENP’s Cyber Directorate, which oversaw carrying out the project.
According to Flashpoint, the operators behind Project Signal have links to the notorious Iranian ransomware campaign Pay2Key, which attacked numerous Israeli companies across different sectors starting in November 2020. Both Project Signal and Pay2Key projects had financially driven attributes, according to the researchers. Due to Pay2Key, at least six Israeli businesses have leaked internal documents.