Check Point Research has identified Iranian state-sponsored hackers affiliated with Iran's Ministry of Intelligence and Security (MOIS) deploying a previously unknown command-and-control framework called Cavern, also tracked as Cav3rn. The modular C2 platform targets Israeli organizations, with confirmed attacks against IT service providers and government entities.
Cavern represents a significant escalation in the operational capabilities of MOIS-linked threat actors. The framework's modular architecture allows attackers to customize payloads and adapt tactics based on target environments and defensive posture. This flexibility reduces detection rates and extends operational persistence within compromised networks.
The targeting of IT providers creates particular risk for downstream clients. Compromised service providers become conduits for lateral movement into government networks, healthcare systems, and critical infrastructure. Israeli IT firms managing government contracts face heightened exposure. Attackers gain not only initial access but also the trust relationships and authentication credentials necessary to move deeper into victim ecosystems.
The MOIS connection links this activity to state-directed objectives rather than cybercriminal activity. Iran's intelligence service has historically targeted Israeli entities for espionage, network reconnaissance, and preparation for potential cyber operations. Cavern's development suggests investment in long-term infrastructure for sustained access and intelligence collection.
Organizations in Israel and those working with Israeli partners should implement network segmentation to limit lateral movement from compromised IT accounts. Defender detection should focus on unusual C2 beaconing patterns, particularly those using uncommon ports or protocols. Credential hygiene becomes critical—IT provider compromise assumes attacker access to privileged accounts spanning multiple organizations.
Check Point Research provided technical indicators and detection signatures for Cavern. Organizations should cross-reference their network logs against those signatures and audit recent access from IT provider accounts. Any suspicious connections from external vendors warrant credential rotation and forensic investigation.
