Iranian state-sponsored threat actor Cavern Manticore, linked to the Ministry of Intelligence and Security (MOIS), has executed a targeted campaign against Israeli government agencies and IT service providers. The intrusion leverages a supply chain compromise of the SysAid software platform to achieve initial access. Following exploitation, the actor deploys the "Cavern" (Cav3rn) framework, a modular and highly adaptable command-and-control (C2) architecture designed for deep reconnaissance and data exfiltration. This campaign demonstrates advanced tactical continuity with established Iranian APTs, specifically MuddyWater and Lyceum, utilizing specialized modular tasking to maintain persistence and navigate high-value environments.
-
Incident/Breach Overview
- Targeted campaign focused on high-value Israeli government sectors and IT service providers.
- Attributed to the Cavern Manticore cluster, identified as an Iranian state-sponsored entity (MOIS).
- Operations prioritized long-term intelligence gathering through compromised managed service environments.
-
Attack Vector/Campaign Mechanics
- Initial access achieved through the exploitation of the SysAid software supply chain.
- Leveraged the inherent trust between the SysAid vendor and its client infrastructure to bypass perimeter defenses.
- Deployment of the undocumented "Cavern" (Cav3rn) modular C2 framework for post-exploitation.
-
Threat Group Profile/Scale of Impact
- Exhibits high tactical similarity to known Iranian APTs, specifically MuddyWater and Lyceum.
- Employs a modular C2 architecture to facilitate adaptable reconnaissance and exfiltration tasks.
- Impact includes unauthorized access to sensitive government data and compromise of critical IT provider infrastructure.
-
Defensive Actions/Mitigation
- Immediate audit of SysAid software environments for signs of unauthorized access or anomalous activity.
- Implementation of strict supply chain risk management protocols for third-party IT management tools.
- Enhanced monitoring for modular C2 communication patterns and unusual data exfiltration signatures.
Related posts
- simplysecuregroup.com — Iran-Linked Hackers Use New Cavern C2 Framework to Target Israeli Organizations
- SC Media — Iranian hackers use new modular C2 framework against Israeli organizations
- Thehackernews
- Research
- Rescana
- News
- Infosecurity-magazine
- Hhs
- Jpost
- Ground
- SecurityWeek — Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks