At least eight websites linked to shipping, logistics and financial services companies in Israel were targeted as part of the waterhole attack.
Tel Aviv-based cybersecurity firm ClearSky attributed the low-confidence attack to a tracked Iranian threat actor. Turtle shellwhich is also called Crimson Sandstorm (formerly Curium), Imperial Kitten, and TA456.
“The infected site collects initial user information through scripts,” ClearSky said in a technical report published Tuesday. Most of the affected websites have been stripped of the rogue code.
Tortoiseshell is known to have been active since at least July 2018 initial attack targeting IT providers in Saudi Arabia. It has also been observed setting up fake recruiting sites for US military veterans in an attempt to trick them into downloading a remote access trojan.
That said, this is not the first time the Iranian activity cluster has set their sights on the Israeli shipping sector with a watering hole.
The attack method, also called strategic website compromise, works by infecting websites that are known to be frequented by a group of users or those within a particular industry to enable the spread of malware.
In August 2022, an emerging Iranian actor named UNC3890 was linked to a watering hole hosted on a legitimate Israeli shipping company login page designed to transmit initial data about logged in users to attacker-controlled domains.
Developments come as Israel continues became the most prominent target for Iranian state-sponsored crews. Microsoft, earlier this month, highlighted their new approach of combining “offensive cyber operations with multi-pronged influence operations to trigger geopolitical change in line with regime goals.”