Based on a research by Tel Aviv-based cybersecurity firm ClearSky, several Israeli shipping and logistics websites were hacked to collect customer data. The business has “low confidence” that the Iranian hackers outfit Tortoiseshell (also known as TA456 and Imperial Kitten) is responsible for these attacks. The malicious actor first appeared in the wild in July of 2018.
At least eight Israeli websites were hit by the hacking campaign, including those of shipping company SNY Cargo, logistics company Depolog, and restaurant equipment supplier SZM. As of Tuesday, April 18th, ClearSky reported that the vast majority of websites had been purged of the malicious code.
As part of a watering hole assault, cybercriminals get access to a website frequented by a target demographic, such as government officials, journalists, or corporate leaders. Once a website has been hacked, malicious code can be injected into it, becoming active whenever a person visits the site.
Researchers at ClearSky found evidence that Iranian hackers had been using watering hole attacks since at least 2017. For instance, in 2018, the Israeli shipping, healthcare, government, and energy industries were all targeted by a suspected Iranian threat actor known as UNC3890.
The Iranian group Emennet Pasargad attacked the hosting service uPress in 2020, which was used by the majority of the affected websites. Consequently, thousands of Israeli websites were vandalized.
Due to the political animosity between them, Israel and Iran frequently engage in cyber conflict with one another. The Iranian attacks have varying goals, from stealing user data or destroying systems to spreading disinformation.
In two years, the 2 countries have engaged in an increasingly violent cyberwar. According to Microsoft, Iranian state-sponsored entities are improving their cyber capabilities, while being behind Russia and China. To quickly penetrate businesses, for instance, they may take advantage of newly publicized vulnerabilities and employ specialized tools.
In the past, Tortoiseshell has employed a supply chain attack against Saudi IT service providers using both bespoke and commercially available malware to compromise the clients of the targeted service providers.
In a prior Iranian campaign in 2017, ClearSky analysts observed domain names imitating jQuery via a watering hole attack.
As part of a watering hole attack, at least eight Israeli websites belonging to shipping, logistics, and financial services organizations were hacked. Tortoiseshell, also known as Crimson Sandstorm (formerly known as Curium), Imperial Kitten, and TA456, is an Iranian threat actor tracked by ClearSky, a Tel Aviv-based cybersecurity organization. “The infected sites collect preliminary user information through a script,” ClearSky claimed in a technical study released on Tuesday. The malicious software has been removed from the majority of the affected websites. As of July 2018, Tortoiseshell had already attacked Saudi Arabian IT service providers. It has also been seen attempting to deceive U.S. military veterans into downloading remote access trojans by creating false hiring websites.