A Persian-speaking threat group has been discovered targeting industries ranging from healthcare to energy, with a particular focus on the shipping sector.
According to a report from Mandiant, which named the group UNC3890, the campaign uses email-borne social-engineering lures and a watering hole hosted on a login page of a legitimate Israeli shipping company to disguise the activity. While it targets mainly Israeli victims, the report advised that targets also include multinational companies, suggesting that the threat could have a global impact.
Credential-stealing could allow the threat actor to gain initial access to a targeted organization for espionage purposes, according to the firm. For example, the credentials may allow the actor to connect to a victim’s Office 365 mailbox and steal all the victim’s email correspondence, thus gaining valuable insights about the victim and their organization’s activity.
"We observed the C2 servers communicating with multiple targets, as well as with a watering hole that we believe was targeting the Israeli shipping sector, in particular entities that handle and ship sensitive components," the report notes.
Mandiant senior analyst Ofir Rozmann says the interest this actor shows in the shipping sector is most concerning, since the intelligence it gathers may be leveraged for more aggressive efforts, like kinetic warfare operations.
"While we don’t what exact data the attackers gained access to, compromising a shipping company’s website and gathering intel on its users may have provided the attackers with data about cargo’s contents, when it’s being sent and its location over time," he explains. "This sort of data is important if Iran wishes to conduct kinetic operations targeting these shipments."
Furthermore, this type of access may also be used to send phishing emails from within the organization, bolstering legitimacy and compromising more mailboxes and/or computers, or affecting downstream customers.
A Taste for Custom Malware
The group, which operates an interconnected network of command-and-control (C2) servers, spoofs legitimate services including Office 365, and social networks LinkedIn and Facebook, with phishing lures that include fake job offers and fake commercials for AI-based robotic dolls.
Once a victim is compromised, the group delivers two proprietary pieces of malware, which Mandiant dubbed Sugarush and Sugardump.
Sugarush is a backdoor that establishes a reverse shell over TCP to a hardcoded C2 address, according to the new analysis.
Sugardump meanwhile is used for harvesting credentials from Chrome, Opera, and Edge Chromium browsers, which can also exfiltrate stolen data via Gmail, Yahoo, and Yandex email services.
According to the report, several versions of Sugardump have been observed, with the first dating back to 2021, which stored credentials without exfiltrating them. Later versions use either SMTP or HTTP for C2 communications, and they have more advanced credential-harvesting functionality.
Other tools used by UNC3890 include Unicorn for PowerShell-type attacks, the Metasploit framework, and NorthStar C2, which is a publicly available open source C2 framework developed for penetration testing and red teaming.
"In addition, we identified an UNC3890 server that hosted several .ZIP files containing scraped contents of Facebook and Instagram accounts of legitimate individuals," the report says. "It is possible they were targeted by UNC3890, or used as lures in a social-engineering effort."
The group has been in operation since at least late 2020 and is currently perceived as an active threat.
Espionage for Many Outcomes
Rozmann adds intelligence collection is a key component of any state-sponsored activity since it can help keep the leadership and Iranian intelligence agencies informed when strategizing/making plans against their targets.
"While we believe this actor is focused on intelligence collection, the collected data may be leveraged to support various activities, from hack-and-leak to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years," according to Mandiant's analysis.
Whether it remains covert or is leveraged for more overt operations, the intel opens up options for a threat actor. For example, targeting the government sector may provide access to sensitive strategic, political, or defense-related data that can be beneficial for future negotiations, exposed/sold, or leveraged against the victims.
Attribution to Iran's Government?
While UNC3890 is almost certainly based in Iran, "we don’t have enough evidence to determine whether this is a state-backed threat," Rozmann notes. "However, it is plausible, based on the actor’s geographical focus, the targeted sectors and the focus on intelligence collection."
He adds that a typical cybercrime gang that's financially motivated would probably be interested in other information, such as bank accounts, and use other methods, such as ransomware attacks.
"Furthermore, it would target a broader spectrum of sectors and geographies in an effort to maximize potential profit," he says.
The United States, United Kingdom, and Australia have all recently warned that attacks from Iran-linked cyberattack groups have been ramping up operations.
The Iranian state has been blamed for many prior efforts targeting civilians in Israel, including attacks on water infrastructure and on an insurance company.
In June, Microsoft disabled the Iran-linked Lebanese hacking group Polonium after it discovered the threat actors abusing its OneDrive personal storage service. Among the targeted organizations were those involved in critical manufacturing, transportation systems, financial services, IT, and Israel’s defense industry, the software giant says — all of which offered an avenue to carry out downstream supply chain attacks.