At least eight websites linked to Israeli shipping, logistics, and financial services firms were attacked in a watering hole assault. According to Tel Aviv-based cybersecurity firm ClearSky, the cyberattacks were blamed with low confidence on an Iranian threat actor known as Tortoiseshell, also known as Crimson Sandstorm (formerly Curium), Imperial Kitten, and TA456.
“The infected sites collect preliminary user information through a script,” ClearSky said in a recently published technical report. The malicious code has been removed from the majority of the affected websites. Tortoiseshell has been active since at least July 2018, with its initial attacks focusing on Saudi Arabian IT suppliers. Additionally, it has been shown to build up phony employment websites for former members of the US military in an effort to con them into installing remote access trojans.
However, this is not the first time that Iranian activity clusters have targeted the Israeli maritime industry with watering holes. The assault technique, also known as “strategic website compromises,” involves infecting a website that is frequently accessed by a certain user group or by people working in a particular industry to facilitate the spread of malware.
Israel continues to be the primary target for Iranian state-sponsored crews at the time of the development. Earlier this month, Microsoft revealed its new strategy of integrating “offensive cyber operations with multi-pronged influence operations to fuel geopolitical change in alignment with the regime’s objectives.”