Several Israeli websites have been targeted in a watering hole campaign that cybersecurity researchers believe is the work of an Iranian nation-state threat group. Cybersecurity firm ClearSky Cyber Security detected the attack campaign, which focuses on shipping and logistics companies. Once a site is infected, a malicious script collects preliminary user information.
ClearSky has “low confidence specific attribution” to the Tortoiseshell group out of Iran. However, the targeting of shipping and logistics companies aligns with Iran’s history of cyberattacks against that sector over the past three years.
“The threat actor has been active since at least July 2018,” stated ClearSky in their report. “Previous Tortoiseshell attacks have been observed using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appeared to be supply chain attacks with the end goal of compromising the IT providers’ customers.”
ClearSky researchers discovered that the Command and Control server used in the attacks was linked to Tortoiseshell.
Watering hole attacks have been part of the initial access vector used most overall by Iranian threat actors since at least 2017. ClearSky researchers found four domains impersonating jQuery, and domain names impersonating jQuery were deployed in a previous Iranian campaign from 2017 using a watering hole attack.
Iranian threat actors have typically targeted Israeli websites to collect data on logistics companies associated with shipping and healthcare. This latest website attack spotted by ClearSky is similar to an effort observed last year where an Iranian threat actor named UNC3890 was targeting shipping companies in Israel via a similar type of attack.
There is no news at the moment on whether any data has been stolen from the eight infected websites. However, cyber experts warn that it is essential for shipping and logistics firms to be extra cautious. The past several years have seen significant growth that has pushed a more elevated amount of logistical data online. Given the critical role of shipping and logistics companies in the global supply chain, a successful cyberattack could have severe consequences.
A successful cyberattack can cause reputational damage and typically leads to the loss of business opportunities and possibly bankruptcy. In the worst-case scenario, cybercriminals may compromise the supply chain’s integrity, leaving a company open to lawsuits. Financial damage to the victims is just one part of the world’s growing number of cyberattacks. Authorities also warn of the possibility of political and military risks as critical infrastructure could be targeted.
As a precautionary measure, cybersecurity experts suggest companies within logistics and shipping industries should always keep their security systems updated and be wary of sudden changes in traffic on their website.
Iranian hacking crews are known to use watering hole and spear-phishing techniques using advanced persistent threat campaigns as part of state-sponsored activities. The latest incident is just an example of how the cyber threat landscape has remained dynamic as geo-political shifts influence the activities of hacker groups worldwide.
Cybersecurity experts believe that this will be an ongoing trend in cyber-attacks, with logistics and shipping companies an attractive target for hostile nation-state groups. Given the critical role shipping and logistics companies play in the global economy, nations worldwide will be looking to invest heavily in cybersecurity strategies to defend against such attacks.