Researchers have discovered a new wiper malware, dubbed BiBi-Linux, used by an unknown threat actor to destroy data belonging to Israeli companies. BiBi-Linux, with “BiBi” being a nod to the nickname of Israel’s Prime Minister Benjamin Netanyahu, corrupts files by overwriting them with useless data, rendering the files and parts of the operating system unusable.
BiBi-Linux fakes file encryption by renaming corrupted files to a random name and adding a BiBi string extension. However, unlike ransomware, BiBi-Linux does not leave a ransom note nor does it provide victims with payment or file recovery instructions.
Source: Bleeping Computer
Analysis
Destructive malware such as wipers have been used extensively by Russian threat groups to target the systems of Ukrainian organizations since Russia invaded Ukraine in February 2022.
Given the allegations that Russia provided training, weapons, and funds to Hamas to support its October 7th attack on Israel, it’s possible that Russia also provided Hamas with this cyber capability. On the other hand, the malware isn’t particularly sophisticated and could have been developed by any threat actor with some technical knowledge.
If Hamas is behind this campaign, it was likely carried out by Hamas members or supporters outside of the Gaza Strip, where internet access is currently severely limited.
Now that the Israeli invasion of Gaza appears to have begun, it’s possible that countries who support Hamas, such as Iran, Russia, Syria, and Lebanon, will make good on their threats to Israel and task their cyber operators with targeting Israeli entities.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor emerging threats like BiBi-Linux malware. Covalence users are automatically notified when malware is detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect recommends that governments and organizations in Israel, and those in support of Israel, adopt a heightened security posture towards cybersecurity given the threat posed by pro-Hamas cyber actors.
Related articles
