Iranian Tortoiseshell Hackers Target Israeli Logistics Industry
At least eight websites linked to shipping, logistics and financial services companies in Israel were targeted as part of the waterhole attack.
Tel Aviv-based cybersecurity firm ClearSky attributed the low-confidence attack to a tracked Iranian threat actor. Turtle shellwhich is also called Crimson Sandstorm (formerly Curium), Imperial Kitten, and TA456.
“The infected site collects initial user information through scripts,” ClearSky said in a technical report published Tuesday. Most of the affected websites have been stripped of the rogue code.
Tortoiseshell is known to have been active since at least July 2018 initial attack targeting IT providers in Saudi Arabia. It has also been observed setting up fake recruiting sites for US military veterans in an attempt to trick them into downloading a remote access trojan.
That said, this is not the first time the Iranian activity cluster has set their sights on the Israeli shipping sector with a watering hole.
The attack method, also called strategic website compromise, works by infecting websites that are known to be frequented by a group of users or those within a particular industry to enable the spread of malware.
In August 2022, an emerging Iranian actor named UNC3890 was linked to a watering hole hosted on a legitimate Israeli shipping company login page designed to transmit initial data about logged in users to attacker-controlled domains.
The latest intrusions documented by ClearSky show that malicious JavaScript injected into websites works in a similar way, gathering information about the system and sending it to remote servers.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
The JavaScript code then attempts to determine the user’s language preference, which ClearSky says can be “useful for attackers to tailor their attacks based on the user’s language.”
In addition, the attack also uses a domain called jquery-stack(.)online for command-and-control (C2). Its goal is to fly under the radar by emulating the legitimate jQuery JavaScript framework.
Developments come as Israel continues became the most prominent target for Iranian state-sponsored crews. Microsoft, earlier this month, highlighted their new approach of combining “offensive cyber operations with multi-pronged influence operations to trigger geopolitical change in line with regime goals.”
