ESET denies it was compromised as Israeli orgs targeted with 'ESET-branded' wipers

ESET denies being compromised after an infosec researcher highlighted a wiper campaign that appeared to victims as if it was launched using the Slovak security shop's infrastructure.

Kevin Beaumont blogged about an Israeli biz that said it was infected with a wiper after a staffer clicked a link in an email seemingly sent from the ESET Advanced Threat Defense Team in Israel.

The email itself passed DKIM and SPF checks against ESET's domain, said Beaumont, although according to a screenshot of it shared by one security pro, Google Workspace flagged it as malicious.

It appears the email was first sent on October 8, targeting cybersecurity professionals in Israel, with the .ZIP download hosted on ESET servers.

Targets were informed their devices were being aimed at by "a state-backed threat actor" and were invited to ESET's Unleashed program – which doesn't appear to exist as a standalone program, but Beaumont noted the branding is sometimes used by the vendor.

The download contains various ESET DLLs, the researcher said, as well as a malicious setup.exe. Beaumont described it as a fake ransomware, making calls to things like Mutex from Yanluowang's ransomware payload, for example.

It also made innocuous calls to an organization promoting the Iron Swords War memorial day, established to remember those who died when Hamas troops attacked Israel on October 7, 2023. The observation, combined with the day of infection, raises questions about whether this was a hacktivist at work.

"Email targeting seen so far is cybersecurity people within organizations across Israel," said Beaumont. "It appears there is no way to actually recover. It's a wiper."

ESET responded to the situation via X on Friday, denying Beaumont's claim that ESET Israel was itself compromised.

The security org said: "We are aware of a security incident which affected our partner company in Israel last week. Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes. ESET technology is blocking the threat and our customers are secure. ESET was not compromised and is working closely with its partner to further investigate and we continue to monitor the situation."

• Intel lightly hits back at China's accusations it bakes in NSA backdoors
• Biz hired, and fired, a fake North Korean IT worker – then the ransom demands began
• Uncle Sam puts $10M bounty on Russian troll farm Rybar
• Troubled US insurance giant hit by extortion after data leak

The source of the malicious activity isn't known, but the MO aligns neatly with that of the pro-Palestine Handala group, which for the past few months has attacked Israeli organizations and figureheads.

Trellix researchers noted in July that Handala has a propensity for wiper attacks in Israel, noting at the time that hundreds of the strikes targeted Israeli organizations in just a few weeks. The Israeli government published an urgent warning about the incidents in response.

More recently, Handala has been leaking what it claims to be private files, emails, and photos from the likes of Israeli politician Benjamin Gantz, former prime minister Ehud Barak, and diplomat to Germany Ron Prosor. All appear to be compromises of personal accounts.

Organizations that were recently singled out by the group include podcasting platform Doscast, Soreq Nuclear Research Center, point of sale vendor Max Shop, and firearms exporter Silver Shadow. ®