Hackers reportedly impersonate cyber firm ESET to target organizations in Israel
Unknown hackers have reportedly attempted to infect Israeli organizations with wiper malware delivered through phishing emails that impersonated the cybersecurity firm ESET.
The malicious email, allegedly sent from ESET, claimed a device belonging to the recipient was targeted by a state-backed threat actor and included a link to a ZIP download supposedly hosted on ESET servers that would help recover from the attack.
According to cybersecurity researcher Kevin Beaumont, who discovered the malicious ESET-branded campaign and flagged it on his blog, the email could infect victims' devices with fake ransomware.
The hackers appear to have hosted malicious files on ESET servers, he said, indicating they were able to breach the company’s defenses. A screenshot provided by Beaumont indicated that Google flagged the email as dangerous.
In a statement on Friday, the Slovak-based ESET said it is aware of a security incident that affected its partner company in Israel last week.
“Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes,” the company said, adding that its customers are secure.
ESET also denied Beaumont’s claim that its Israeli branch's infrastructure was compromised in the attack.
“ESET was not compromised and is working closely with its partner to further investigate, and we continue to monitor the situation,” the company said.
The company said it could not comment beyond its initial statement and directed questions to ESET's Israel distributor, Comsecure, which was “impacted.”
Beaumont said the ESET-branded campaign targeted “cybersecurity personnel within organizations across Israel.”
The emails were reportedly sent on October 8, the day after the anniversary of Hamas’ and other Palestinian militant groups’ armed incursions into Israel.
It is also unclear which threat actor is behind the campaign, but the tactics are similar to those of the pro-Palestine group Handala, which is known for targeting Israel.
Back in July, Handala claimed responsibility for a phishing campaign impersonating cybersecurity firm CrowdStrike that attempted to install a wiper on Israeli victims’ networks. They also claimed to have launched other attacks, including on Israeli Iron Dome radars.
In a recent report, the cybersecurity company Trellix described Handala’s attacks as sophisticated and suggested the group may have links to Iran.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.