Maritime Risk Intelligence Blog

Suspected Iranian hackers target Israeli shipping and logistics companies

Written by The Record | June 6, 2023 at 7:00 AM

Several shipping and logistics websites in Israel were hacked to gather information about their users, according to a report by Tel Aviv-based cybersecurity company ClearSky.

The company attributes these attacks “with a low confidence” to the Iranian nation-state hacker group Tortoiseshell, also called TA456 and Imperial Kitten. The threat actor has been active since at least July 2018.

The hacking campaign targeted at least eight Israeli websites — including shipping company SNY Cargo, logistics firm Depolog and restaurant equipment supplier SZM — with a watering hole attack. Most websites were already cleared of the malicious code as of April 18, ClearSky said.

In a watering hole attack, hackers compromise a website that is frequently visited by a specific group of people, such as government officials, journalists, or corporate executives. Once hacked, attackers can inject harmful code into the website, which gets activated when users visit the site.

Watering hole attacks have been used by Iranian hackers since 2017, according to ClearSky researchers. Last year, for example, a suspected Iranian threat actor tracked by Mandiant as UNC3890 used this method to target shipping, healthcare, government, and energy companies in Israel.

In the recent attack, hackers used malicious JavaScript. The collected data includes the user's IP address, screen resolution and the URL of the previously visited webpage.. The hackers also tried to determine the user’s computer language preference to customize their attacks in the future, ClearSky said

The majority of the compromised websites were using the uPress hosting service, which was targeted in 2020 by the Iranian group Emennet Pasargad. Thousands of Israeli sites were defaced as a result.

Israel and Iran often face-off in cyberspace to the political tension between the two countries. Some of the Iranian attacks aim to steal user data or destroy systems, others are intended to spread disinformation.

The covert cyberwar between the two countries has escalated over the past two years. Although Iranian state-sponsored actors are not as advanced as their Russian and Chinese counterparts, they are enhancing their cyber capabilities, according to Microsoft. For example, they rapidly exploit recently disclosed vulnerabilities to breach organizations and use tailored tools against their targets.

Tortoiseshell has previously used both custom and off-the-shelf malware to target IT providers in Saudi Arabia with a supply chain attack aimed at compromising the IT providers' customers.

In the recent attack, hackers used the domain jquery-stack[.]online, which was previously attributed to Tortoiseshell. This domain impersonated the legitimate JavaScript framework jQuery to deceive anyone who checks the website code.

ClearSky researchers have already seen domain names impersonating jQuery in a previous Iranian campaign from 2017 using a watering hole attack.

Source: The Record