• Agrius conducted a supply-chain attack abusing an Israeli software suite used in the diamond industry.
• Agrius is a newer Iran-aligned APT group solely focused on destructive operations.
• The group then deployed a new wiper we named Fantasy. Most of its code base comes from Apostle, Agrius’s previous wiper.  
• Along with Fantasy, Agrius also deployed a new lateral movement and Fantasy execution tool that we have named Sandals.
• Victims include Israeli HR firms, IT consulting companies, and a diamond wholesaler; a South African organization working in the diamond industry; and a jeweler in Hong Kong.

BRATISLAVA, MONTREAL — December 7, 2022 — ESET researchers discovered a new wiper and its execution tool, both attributed to the Iran-aligned Agrius APT group. The malware operators conducted a supply-chain attack abusing an Israeli software developer to deploy their new wiper, Fantasy, and a new lateral movement and Fantasy execution tool, Sandals. The abused Israeli software suite is used in the diamond industry, and in February 2022, Agrius began targeting an Israeli HR firm, a diamond wholesaler, and an IT consulting firm. The group is known for its destructive activities. Victims were observed in South Africa and Hong Kong as well.

“The campaign lasted less than three hours, and within that timeframe, ESET customers were already protected with detections identifying Fantasy as a wiper and blocking its execution. We observed the software developer pushing out clean updates within a matter of hours of the attack,” says Adam Burgher, ESET Senior Threat Intelligence Analyst. ESET contacted the software developer to notify them about a potential compromise, but the inquiries went unanswered.

“On February 20, 2022, at an organization in the diamond industry in South Africa, Agrius deployed credential harvesting tools, probably in preparation for this campaign. Then, on March 12, 2022, Agrius launched the wiping attack by deploying Fantasy and Sandals, first to the victim in South Africa, then to victims in Israel, and lastly to a victim in Hong Kong,” elaborates Burgher.

Fantasy wiper either wipes all files on disk or wipes all files with extensions on a list of 682 extensions, including filename extensions for Microsoft 365 applications such as Microsoft Word, Microsoft PowerPoint, and Microsoft Excel, and for common video, audio, and image file formats. Even though the malware takes steps to make recovery and forensic analysis more difficult, it is likely that recovery of the Windows operating system drive is possible. Victims were observed to be back up and running within a matter of hours.

Agrius is a newer Iran-aligned group targeting victims in Israel and the United Arab Emirates since 2020. The group initially deployed a wiper, Apostle, disguised as ransomware, but later modified Apostle into fully fledged ransomware. Agrius exploits known vulnerabilities in internet-facing applications to install webshells, then conducts internal reconnaissance before moving laterally and then deploying its malicious payloads.

Since its discovery in 2021, Agrius has focused solely on destructive operations. Fantasy is similar in many respects to the previous Agrius wiper, Apostle. However, Fantasy makes no effort to disguise itself as ransomware. There are only a few small tweaks between many of the original functions in Apostle and the Fantasy implementation.

For more technical information about Agrius’s Fantasy wiper, check out the blogpost “Fantasy – a new Agrius wiper deployed through a supply-chain attack” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

ESET welcomes the decision of EU legislators to adopt the second Network and Information Security Directive (NIS2) aimed at strengthening cyber resilience across the Union. The new legislation comes as a response to the growing dependency of critical sectors on digitalization and their higher exposure to cyber threats.

The directive now approved replaces the NIS directive introduced in 2016 as the first-ever EU-wide legislation on cybersecurity. NIS2 introduces a broader scope of action, impacting more entities in “high criticality” sectors, both the public and private sectors, such as energy, transport, banking, water and waste water, among other critical infrastructure. Whilst new obligations are brought in for those in other “critical” sectors such as manufacturing, food, chemicals, waste management, postal and courier services.

Enterprises classed as “High Criticality” will be required to take both technical and operational measures to comply with NIS2, including incident response, supply chain security, encryption and vulnerability disclosure, adequate risk analysis, testing and auditing of cybersecurity strategies, and crisis management planning in view to ensure business continuity. In case of a cyber incident, these entities will also be required to submit an initial notification within 24 hours and more detailed information within 72 hours. NIS2 also introduces fines for failure to comply, including suspension of certification and personal liability to managerial positions, in line with national laws.

Finally, the directive establishes the European Cyber Crises Liaison Organization Network, EU-CyCLONe, to enable cooperation between national agencies and authorities in charge of cybersecurity, and each Member State will also be required to clearly identify a single point of contact to report cyber incidents.

Are SMEs also obliged to comply?
NIS2 establishes “the application of the size-cap rule, whereby all medium and large enterprises, as defined by Commission Recommendation 2003/361/EC, that operate within the sectors or provide the type of services covered by this Directive, fall within its scope”. While it excludes Small and Micro enterprises from having to comply with the new rules, some exceptions apply for example for SMEs in the sectors of electronic communications networks or of publicly available electronic communications services, trust service providers or top-level domain name (TLD) name registries.

Small and medium-sized enterprises are increasingly becoming the target of supply chain attacks due to limited security resources. Such supply chain attacks can have a cascading effect on entities to which they provide supplies. Member States should, through their national cybersecurity strategies, help small and medium-sized enterprises to address the challenges faced in their supply chains. Member States should have a point of contact for small and medium-sized enterprises at national or regional level, which either provides guidance and assistance to small and medium-sized enterprises or directs them to the appropriate bodies for guidance and assistance with regard to cybersecurity related issues.

In March last year, the European DIGITAL SME Alliance, EU’s largest SME network in the field of ICT, published its position paper to the consultation on the proposal for NIS2, welcoming the new directive, but also alerting for the indirect impact of NIS2 on SMEs.

In conversation with ESET, James Philpot, Project Manager at DIGITAL SME, notes that the first step SMEs should be taking to “understand specific needs to boost their cybersecurity practices” is looking at their “national cybersecurity center and ENISA’s guides and recommendations”. However, “it might be easier or harder” to get the right information as “different Member States provide different resources”. Nonetheless, NIS2 “mandates that States should provide support and resources” mainly when it comes to getting a detailed understanding of the scope of this legislation “and whether their customers will be subject to it”, which will “help plan ahead”.

Turning challenges into opportunities.
“Downstream suppliers are likely to be the most disrupted”, and it can be challenging for some companies to have the needed technical capabilities but mainly to understand “reporting requirements and how NIS2 interplays with other legislation”, explained Philpot.

“But in a more general sense, we have to be positive about it”, and “efforts to improve the level of cybersecurity in European businesses are generally welcomed”. The only caveat, alerts Philpot, is the level of “implementation and support, and how that is managed, that will ultimately be the difference between the legislation helping SMEs and the legislation being regulatory overburden”.

Moreover, ESET and DIGITAL SME are convinced that this new framework might be an opportunity. “Yes, it can be an opportunity, there are technical solutions available in Europe to provide the level of cybersecurity required”, but companies need to avoid “looking for the biggest name or cheapest offer, which tends to come from outside of Europe”. This is why it is so important to “link support and resources” to “leverage this legislation and to strengthen European innovation”.

SMEs can also reach out to their local CSIRTS to mitigate some of the deficiencies of other national bodies, or take advantage of resources such as the DIGITAL SME/SBS guide, the DIGITAL SME Guide on Information Security Controls or cybersecurity certificates.

Moving towards safer enterprises.
ESET’s SMB Digital Security Sentiment Report, published just last month, discovered that while 83% of SMEs believe that cyber warfare is a very real threat and 71% had moderate to high confidence in their ability to investigate the root cause of cyberattacks, 43% consider the lack of awareness of employees as the leading cause for concern, while the actual uptake of EDR (end-point detection and response) solutions, which specifically assist in this area, was only at 32%.

As Philpot also notes in the conversation with ESET, “the impacts of cyber incidents are well known” to SMEs: data leaks, considerable financial impact and loss of customer confidence. So “in a more general sense, we have to be positive” about NIS2; at the very least, this directive will play an important awareness role, even for those companies that “aren’t required to comply, they may develop greater awareness”

The NIS2 will become applicable after the EU Member States transpose the Directive into their national law: by September 2024. Nevertheless, organizations might want to be ready sooner than later, not only to be timely on the implementation process, but also to test different good practices on incident handling, control policies and reporting mythologies. Above all, NIS2 defines a minimum common level of cybersecurity in Europe, one that should be seen as the floor under our feet, not as a ceiling.