A new threat actor we track as Agrius was observed operating in Israel in 2020. While first engaged in espionage activity, Agrius attackers shifted to extorting targets, claiming they stole and encrypted their data. Their data, however, could not be retrieved for any ransom – as it was destroyed in a wiping attack.
An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets. The operators behind the attacks intentionally masked their activity as ransomware attacks, an uncommon behavior for financially motivated groups. Considering this and the nature of the known targets, we assess this is a nation-sponsored threat group.