Void Manticore: Iranian State-Sponsored Cyber Warfare Exposed
In the complex and rapidly evolving world of cybersecurity, state-sponsored threat actors continue to push the boundaries of their capabilities, posing significant threats to national security and digital infrastructure. Among these malicious entities, Void Manticore, an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS), has emerged as a formidable adversary. Check Point Research (CPR) has been actively monitoring Void Manticore’s activities, revealing their involvement in destructive wiping attacks coupled with sophisticated influence operations.
Void Manticore’s operations are characterized by a dual approach, combining psychological warfare with actual data destruction. Operating under various online personas, such as “Karma” for operations targeting Israel and “Homeland Justice” for attacks in Albania, Void Manticore tailors its attacks to different regions. This strategic use of personas not only aids in masking their true identity but also aligns their operations with specific geopolitical objectives.
The collaboration between Void Manticore and Scarred Manticore highlights a coordinated effort to conduct comprehensive cyber assaults. This partnership extends the reach and impact of their attacks, presenting a formidable challenge for cybersecurity defenders. By leveraging the resources and expertise of multiple threat actors, these groups can execute sophisticated campaigns with far-reaching consequences.
Void Manticore employs relatively straightforward yet effective tactics. They often utilize publicly available tools to establish initial access to target networks. Once inside, they deploy custom wipers, targeting critical files and partition tables to disrupt system functionality. The group engages in manual data destruction activities, further amplifying the impact of their attacks.
Void Manticore’s arsenal includes a range of custom wipers, each serving specific purposes:
- CI Wiper: First deployed in an attack against Albania in July 2022, this wiper targets specific files, enabling selective erasure of critical information.
- Partition Wipers (LowEraser): Used in attacks against entities such as INSTAT in Albania and multiple Israeli entities, these wipers obliterate partition tables, rendering all data on the disk inaccessible.
- BiBi Wiper: Named after Israel’s Prime Minister Benjamin Netanyahu, this wiper exists in both Linux and Windows variants, employing sophisticated techniques to corrupt files and disrupt system functionality.
The recent attacks against Israel in 2023-2024 bear striking similarities to the destructive campaigns carried out in Albania in 2022. The comparison highlights a coordinated handoff process between Scarred Manticore and Void Manticore, with both actors leveraging similar vulnerabilities and tools.
| Aspect | Albania (2022) | Israel (2023-2024) |
|---|---|---|
| Actor #1 | Storm-0861 ~ Scarred Manticore | Storm-0861 ~ Scarred Manticore |
| Initial Access | CVE-2019-0604 | CVE-2019-0604 |
| Tools | Foxshell | Liontail |
| Objective | Email Exfiltration | Email Exfiltration (LionHead) |
| Actor #2 | Storm-0842 ~ Void Manticore | Storm-0842 ~ Void Manticore |
| Destruction | Wiper (CL Wiper) + Ransomware | Wiper (BiBi Wiper) |
| Leaking Persona | Homeland Justice | Karma |
The emergence of Void Manticore and its collaboration with Scarred Manticore underscores the escalating threat posed by state-sponsored cyber actors. The ability of these groups to coordinate their efforts, adapt their tactics, and deploy advanced tools necessitates a heightened state of vigilance for organizations and governments worldwide.
