A newly emerged hacktivist group dubbed “Phoenix Backup” has claimed responsibility for breaching two Israeli technology companies—Nibit Communications and Computers and IMLAW—in a coordinated cyberattack allegedly involving data exfiltration.
Security analysts at FalconFeeds.io first flagged the group’s activities on April 23, 2024, after it published samples of stolen data on a Telegram channel.
The incident underscores Iran’s escalating cyber campaign against Israeli entities, leveraging tactics consistent with state-aligned threat actors.
Attack Methodology and Technical Analysis
According to the post from FalconFeeds.io, the group infiltrated the companies’ networks using phishing emails disguised as legitimate business inquiries.
Once inside, they deployed custom malware designed to bypass endpoint detection systems and establish persistent access.
Forensic evidence suggests the attackers exploited unpatched vulnerabilities in Microsoft Exchange Server and Oracle WebLogic to escalate privileges and move laterally across networks.
The primary objective appears to have been data exfiltration—the unauthorized extraction of sensitive information—a hallmark of Iranian cyber operations.
Researchers identified PowerShell scripts and living-off-the-land binaries (LOLBins) used to compress and encrypt stolen data before exfiltration via HTTPS tunnels to cloud storage platforms.
This technique mimics legitimate traffic, complicating detection by traditional firewalls.
Compromised data reportedly includes customer databases, internal communications, and technical documentation related to defense contracts.
Iranian Cyber Tactics and Historical Context
The attack aligns with patterns observed in Iranian cyber campaigns, particularly those linked to the Islamic Revolutionary Guard Corps (IRGC).
Groups like CyberAv3ngers and APT34 have previously targeted Israeli critical infrastructure, deploying wiper malware and industrial control system (ICS) exploits.
Phoenix Backup’s use of Telegram for coordination and data leaks mirrors Iran’s 2016 breach of 15 million Telegram accounts, where attackers intercepted SMS verification codes to hijack activists’ and journalists’ accounts1.
Notably, Iranian threat actors increasingly rely on third-party Telegram forks to avoid scrutiny.
In 2023, a breach of an unofficial Telegram client exposed 42 million Iranian users’ data, highlighting risks associated with unverified apps.
Phoenix Backup’s choice of Telegram for leaks likely capitalizes on its encryption features and broad reach within hacktivist circles.
Implications for Regional Cybersecurity
The exfiltrated data poses significant risks.
Personally identifiable information (PII) and intellectual property (IP) could be weaponized for espionage, sold on dark web markets, or used to fuel disinformation campaigns.
Of particular concern is Nibit Communications’ role in providing network infrastructure to Israeli defense contractors, raising fears of downstream attacks on military supply chains.
Cybersecurity firm Claroty warns that Iranian groups are refining OT/IoT-focused malware, such as the IOCONTROL backdoor, to disrupt critical systems.
In late 2024, CyberAv3ngers used similar tools to hijack U.S. fuel management systems, demonstrating capabilities to inflict physical damage.
Mitigation Strategies and Industry Response
To counter data exfiltration, experts recommend adopting zero-trust architectures, segmenting networks, and deploying behavioral analytics to detect anomalous data flows.
The IBM X-Force team emphasizes patching known vulnerabilities in enterprise software, noting that 60% of 2023 breaches stemmed from unpatched flaws.
Israeli cybersecurity agency INCD has issued advisories urging companies to audit third-party app usage and enforce multi-factor authentication (MFA) beyond SMS-based codes.
Meanwhile, Telegram reiterated warnings against unofficial forks, stressing that only its verifiable builds offer robust security.
As Phoenix Backup continues its campaign, the incident underscores the blurred line between hacktivism and state-sponsored cyber warfare.
With Iran investing heavily in asymmetric cyber capabilities, organizations must prioritize threat intelligence sharing and assume breaches are inevitable.
Also Read:
.webp?w=1200&resize=1200,0&ssl=1&description=The incident underscores Iran’s escalating cyber campaign against Israeli entities, leveraging tactics consistent with state-aligned threat actors.){kind=link}