Threat Group Cards: A Threat Actor Encyclopedia

APT group: HomeLand Justice

Names	HomeLand Justice (self given) Karma (self given) Void Manticore (Check Point) Storm-842 (Microsoft)
Country	Iran
Sponsor	State-sponsored, Ministry of Intelligence and Security (MOIS)
Motivation	Sabotage and destruction
First seen	2022
Description	(ClearSky) On September 23rd, 2022, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly released an advisory analyzing a wave of cyber-attacks targeting the Government of Albania. The group, identifying as 'HomeLand Justice,' was attributed as an Iranian state threat actor. Homeland Justice launched its first campaign on July 15th, 2022, targeting Albanian e-government systems right before a planned conference of Iranian opposition group Mojahedin-e Khalq (Persian:مجاهدین ِ خلق), also known as MEK - a well-known Iranian group seeking to replace the current regime in Iran. The conference was cancelled following the attack. In September 2022, the actor launched a second campaign targeting Albanian border crossings. On December 24th, 2023, the actor publicized the current campaign, described in this blog, targeting Albanian infrastructure and government organizations. (Check Point) Void Manticore, linked to the Iranian Ministry of Intelligence and Security (MOIS), executes destructive wiping attacks alongside influence operations. Operating under various online personas, notably Homeland Justice for Albania and Karma for Israel, Void Manticore targets different regions with tailored attacks. Overlaps exist between Void Manticore and Scarred Manticore (OilRig, APT 34, Helix Kitten, Chrysene) targets, suggesting coordinated efforts and a systematic handoff of victims in MOIS. Utilizing five distinct methods, including custom wipers for Windows and Linux, Void Manticore disrupts operations through file deletion and shared drive manipulation.
Observed	Countries: Albania, Israel.
Tools used	BiBi Wiper, Cl Wiper, No-Justice Wiper, Plink, RevSocks, W2K Res Kit.
Operations performed	2023	Unveiling Void Manticore: Structured Collaboration Between Espionage and Destruction in MOIS <https://blog.checkpoint.com/research/unveiling-void-manticore-structured-collaboration-between-espionage-and-destruction-in-mois/> <https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/>
	Jan 2024	Iran-linked hackers claim attack on Albania's Institute of Statistics <https://therecord.media/iran-linked-hackers-claim-attack-on-albania-census-org>
Information	<https://www.clearskysec.com/wp-content/uploads/2024/01/No-Justice-Wiper.pdf> <https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a>

Last change to this card: 18 June 2024

Download this actor card in PDF or JSON format