Cybersecurity experts at ClearSky have discovered a sophisticated watering hole attack targeting multiple Israeli websites.
The malicious attempt, believed to be conducted by a nation-state actor from Iran, has raised concerns about the security of shipping and logistics companies operating in the region.
“In watering hole attacks, the attacker compromises a website that is frequently visited by a specific group of people, such as government officials, journalists, or corporate executives,” reads an advisory published by the company today.
“Once compromised, the attacker can inject malicious code to the website, which will be executed when users visit it. Currently, the campaign focuses on shipping and logistics companies, aligning with Iran’s focus on the sector for the past three years.”
The ClearSky team has attributed the attack with low confidence to Tortoiseshell, also known as TA456 or Imperial Kitten, a hacking group traditionally linked to Iranian cyber operations.
“Previous Tortoiseshell attacks have been observed using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appeared to be supply chain attacks with the end goal of compromising the IT providers’ customers,” ClearSky explained.
According to the company’s advisory, the threat actor has been active since at least July 2018.
Read more on Iranian state actors: “Mint Sandstorm” Weaponizes N-day Flaws
To trick unsuspecting visitors, the attackers impersonated the legitimate JavaScript framework “jQuery” by utilizing domain names similar to the original ones.
ClearSky said the technique was previously employed in a 2017 Iranian campaign. The attackers also utilized open-source penetration test tools, incorporating code from the Metasploit framework alongside unique strings.
ClearSky said it identified eight infected websites compromised using a similar JavaScript method.
While most of the websites have been cleared of the malicious code, ClearSky said further investigation is ongoing to ensure the complete eradication of the threat.
The attack described by ClearSky comes weeks after a new Android surveillance tool was attributed to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).