At least eight Israeli websites have been targeted in a watering hole campaign that researchers say could be the work of an Iranian nation-state threat group.
The attack campaign, discovered by ClearSky Cyber Security, focuses on shipping and logistics companies. Once a site is infected, a malicious script collects preliminary user information.
ClearSky said it has "a low confidence specific attribution" to the Tortoiseshell group out of Iran. The targeting of shipping and logistics companies aligns with Iran's history of cyberattacks against that sector over the past three years.
"Previous Tortoiseshell attacks have been observed using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appeared to be supply chain attacks with the end goal of compromising the IT providers' customers," the company claims. "The threat actor has been active since at least July 2018."
ClearSky tied the C&C server used in the attacks to Tortoiseshell.
Watering hole attacks have been part of the initial access vector used most overall by Iranian threat actors since at least 2017. ClearSky researchers observed four domains impersonating jQuery, and domain names impersonating jQuery were deployed in a previous Iranian campaign from 2017 using a watering hole attack.
Iranian threat actors traditionally have targeted Israeli websites in an attempt to collect data on logistics companies associated with shipping and healthcare. This latest website attack spotted by ClearSky is similar to an effort observed last year where an Iranian threat actor named UNC3890 was targeting shipping companies in Israel via a similar of type of attack.