Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific

Israeli Shipping, Logistics Companies Targeted in Watering Hole Attacks

Researchers say the Iranian nation-state actor known as Tortoiseshell could be behind the attacks.

Elephants at a watering hole
Source: Lise Honsinger via Alamy Stock Photo

At least eight Israeli websites have been targeted in a watering hole campaign that researchers say could be the work of an Iranian nation-state threat group.

The attack campaign, discovered by ClearSky Cyber Security, focuses on shipping and logistics companies. Once a site is infected, a malicious script collects preliminary user information.

ClearSky said it has "a low confidence specific attribution" to the Tortoiseshell group out of Iran. The targeting of shipping and logistics companies aligns with Iran's history of cyberattacks against that sector over the past three years.

"Previous Tortoiseshell attacks have been observed using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appeared to be supply chain attacks with the end goal of compromising the IT providers' customers," the company claims. "The threat actor has been active since at least July 2018."

ClearSky tied the C&C server used in the attacks to Tortoiseshell.

Watering hole attacks have been part of the initial access vector used most overall by Iranian threat actors since at least 2017. ClearSky researchers observed four domains impersonating jQuery, and domain names impersonating jQuery were deployed in a previous Iranian campaign from 2017 using a watering hole attack.

Iranian threat actors traditionally have targeted Israeli websites in an attempt to collect data on logistics companies associated with shipping and healthcare. This latest website attack spotted by ClearSky is similar to an effort observed last year where an Iranian threat actor named UNC3890 was targeting shipping companies in Israel via a similar of type of attack.

About the Author

Dan Raywood, Senior Editor, Dark Reading

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights