Hackers pretend to be ESET to send data wipers to Israeli companies

Unknown hackers were able to send phishing emails to Israeli businesses and organizations, pretending to be the Slovak-based cybersecurity company ESET. The email contained a link referring to a ZIP file equipped with wiper malware.

The phishing mail, which is published on ESET’s Security Forum, tried to persuade the recipient that his device was being targeted by a ‘geopolitical motivated threat group’.

To counter this threat, the recipient was asked to download some software from ESET’s Unleashed Program. The URL in the mail however led to a ZIP download, containing a data wiper. A data wiper is malicious software designed to erase data, programs and other valuable digital assets, or corrupt partitions to make it harder to recover the data.

Cybersecurity expert Kevin Beaumont was the one who discovered the ESET-branded phishing campaign.

On his blog he explained the malicious software had to be hosted on servers from Comsecure, ESET Israel’s distributor, because it was able to pass SPF, DKIM and DMARC authentication tests. It also shows a screenshot that indicated that Google flagged the email as dangerous.

In a statement, ESET said it was aware of the phishing campaign and the company was able to take it down in just a few minutes.

“We are aware of a security incident which affected our partner company in Israel last week. Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes. ESET technology is blocking the threat and our customers are secure,” the cybersecurity firm stated.

Furthermore, ESET denied Beaumont’s claim that the company had been breached. “ESET was not compromised and is working closely with its partner to further investigate and we continue to monitor the situation.”

As of writing, it remains unclear how many Israeli businesses and organizations were targeted in the phishing campaign, or how Comsecure’s servers were beached.

According to Beaumont, Handala may be responsible for the phishing attack. In July, the pro-Palestine group claimed responsibility for a phishing campaign pretending to be CrowdStrike. It also claimed to have attacked Israeli dome radars.

The security expert also mentions CyberToufan, a ransomware operation that is linked to Iran.

CyberToufan recently sent a fax to multiple Israeli organizations, announcing ‘a flood of liberation for the entire Palestinian land’.

“We will never forget your war crimes against our women and children, and we will never forgive,” the fax said, referring to October 7, 2023, the day Hamas fired missiles in a coordinated surprise attack from the Gaza Strip on Israel.