Iran-Linked Void Manticore Intensifies Cyber-Attacks on Israel

Written by

An Iranian threat actor, Void Manticore, has been identified as responsible for destructive cyber activities targeting Israeli organizations.

The group, affiliated with Iran’s Ministry of Intelligence and Security (MOIS), is known for executing wiping attacks combined with influence operations. 

Since October 2023, Check Point Research (CPR) has been monitoring Void Manticore, also known as Storm-842, which has been particularly active in Israel using the online persona “Karma.” This persona has conducted attacks that involve data wiping, theft and public leaks.

Void Manticore’s operations extend beyond Israel to include Albania, where the group has used the persona “Homeland Justice” to leak data. 

A notable tool in the group’s arsenal is the custom BiBi wiper, named after Israeli Prime Minister Benjamin Netanyahu, used to carry out these attacks. 

In a new advisory published earlier today, CPR also suggested a significant overlap in targets between Void Manticore and another Iranian threat actor, Scarred Manticore (aka Storm-861). This suggests systematic handoffs of victims between the groups.

Read more on this threat: Scarred Manticore Targets Middle East with Advanced Malware

The techniques employed by Void Manticore are relatively simple, relying on publicly available tools for manual deletions and custom wipers for both Windows and Linux systems. Their approach includes lateral movement through Remote Desktop Protocol (RDP) and manual deployment of their wipers. The group’s TTPs align with quick and destructive operations, indicating a strategy of rapid, high-impact attacks.

Void Manticore has exploited geopolitical tensions, especially in the Middle East, to mask their activities under the guise of anti-Zionist motives. According to CPR, the group has targeted over 40 Israeli organizations, leveraging data wiping and public leaks to maximize disruption and psychological impact. 

“Void Manticore’s use of distinct online personas, notably ‘Homeland Justice’ and ‘Karma,’ plays a significant role in their strategy,” reads the advisory.

“The personas allow them to tailor their messaging in an attempt to effectively weaponize political tensions. The deployment of the custom BiBi wiper in their operations against Israeli targets showcases their intent to not only cause direct damage but also to send a politically charged message.”

Moreover, CPR explained that Void Manticore’s collaboration with Scarred Manticore demonstrates a high level of operational coordination. 

“The documented handoff procedures between these groups suggest a consistent level of planning and allow Void Manticore access to a wider set of targets, facilitated by their counterparts’ advanced capabilities,” CPR wrote.

“This cooperation positions Void Manticore as an exceptionally dangerous actor within the Iranian threat landscape.”

What’s hot on Infosecurity Magazine?