At least eight websites linked to Israeli shipping, logistics, and financial services firms were attacked in a watering hole assault. According to Tel Aviv-based cybersecurity firm ClearSky, the cyberattacks were blamed with low confidence on an Iranian threat actor known as Tortoiseshell, also known as Crimson Sandstorm (formerly Curium), Imperial Kitten, and TA456.
“The infected sites collect preliminary user information through a script,” ClearSky said in a recently published technical report. The malicious code has been removed from the majority of the affected websites. Tortoiseshell has been active since at least July 2018, with its initial attacks focusing on Saudi Arabian IT suppliers. Additionally, it has been shown to build up phony employment websites for former members of the US military in an effort to con them into installing remote access trojans.
However, this is not the first time that Iranian activity clusters have targeted the Israeli maritime industry with watering holes. The assault technique, also known as “strategic website compromises,” involves infecting a website that is frequently accessed by a certain user group or by people working in a particular industry to facilitate the spread of malware.
An Israeli shipping company’s official login page was used by an up-and-coming Iranian actor by the name of UNC3890 in August 2022 to host a watering hole that was intended to send log-in information to an attacker-controlled domain. The most recent breaches reported by ClearSky demonstrate how similarly the malicious JavaScript injected into the websites operates, gathering data about the system and transferring it to a distant location.
The JavaScript code further attempts to ascertain the user’s preferred language, which according to ClearSky, might be “useful to the attacker to customize their attack based on the user’s language.” Additionally, the attacks employ jquery-stack[.]online as a command-and-control domain (C2). The fake jQuery JavaScript framework is intended to blend in and avoid detection.
Israel continues to be the primary target for Iranian state-sponsored crews at the time of the development. Earlier this month, Microsoft revealed its new strategy of integrating “offensive cyber operations with multi-pronged influence operations to fuel geopolitical change in alignment with the regime’s objectives.”
