ClearSky cybersecurity experts have discovered a sophisticated watering hole attack targeting multiple Israeli websites.
The malicious attempt is believed to have been perpetrated by Iranian nation-state actors and has raised concerns for the safety of shipping and logistics companies operating in the region.
“In watering hole attacks, attackers compromise websites frequently visited by specific groups, such as government officials, journalists, and business executives,” the company said in an advisory released today.
“Once compromised, an attacker can inject malicious code into a website, which will be executed when a user visits the website. Currently, the campaign is focused on shipping and logistics companies. This is consistent with Iran’s focus in this area over the past three years.”
The ClearSky team has low confidence that the attack was carried out by Tortoiseshell, also known as TA456 or Imperial Kitten, although the hacker group has traditionally been associated with Iranian cyber operations.
“Previous Tortoiseshell attacks targeted IT providers in Saudi Arabia, using both custom and off-the-shelf malware, in what appeared to be supply chain attacks with the ultimate goal of compromising the IT provider’s customers. have been observed,” explained ClearSky.
The threat actor has been active since at least July 2018, according to the company’s advisory.
Read more about Iranian state officials: ‘Mint Sandstorm’ weaponizes N-day flaws
To trick unsuspecting visitors, the attackers used a domain name similar to the original domain name to impersonate the legitimate JavaScript framework jQuery.
According to Clearsky, the technique was used previously during the 2017 Iran campaign. The attackers also used open-source penetration testing tools and incorporated code and unique strings from the Metasploit framework.
ClearSky announced that it has identified eight compromised websites compromised using similar JavaScript techniques.
Although most websites have been cleaned of malicious code, ClearSky said further investigations are underway to ensure complete eradication of the threat.
The attack, reported by ClearSky, comes just weeks after a new Android monitoring tool was attributed to the Islamic Republic of Iran Law Enforcement Command (FARAJA).
