Security News > 2022 > August > Suspected Iranian Hackers Targeted Several Israeli Organizations for Espionage

A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations as part of an espionage-focused campaign that commenced in late 2020.

Cybersecurity firm Mandiant is tracking the group under its uncategorized moniker UNC3890, which is believed to conduct operations that align with Iranian interests.

"The collected data may be leveraged to support various activities, from hack-and-leak, to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years," the company's Israel Research Team noted.

The watering hole, as of November 2021, was hosted on a login page of a legitimate Israeli shipping company, Mandiant pointed out, adding the malware transmitted preliminary data about the logged-in user to an attacker-controlled domain.

While the exact methodology for initial access remains unknown, it's suspected to involve a mix of watering holes, credential harvesting by masquerading as legitimate services, and fraudulent job offers for a software developer position at a data analytics firm LexisNexis.

SUGARUSH, the second bespoke malware, works by establishing a connection with an embedded C2 server to execute arbitrary CMD commands issued by the attacker, granting the adversary full control over the victim's environment upon gaining initial access.

News URL

https://thehackernews.com/2022/08/suspected-iranian-hackers-targeted.html