A hacking group that appears to be linked to Iran has been targeting Israeli shipping in recent years as the shadow war between Israel and Iran has begun to unfold at sea after being fought primarily on land and in the air, said a major US cybersecurity firm. Wednesday.
The hacking group focused on gathering intelligence from Israeli entities and also targeted Israeli government, energy and healthcare organizations, Virginia-based cybersecurity firm Mandiant said.
The cybersecurity group warned that intelligence and data obtained by hackers could be exploited for nefarious activities, such as becoming fodder for damaging leaks or guiding direct military action. It was unclear how successful the pirates had been in their attacks.
The hacking group has also targeted some global companies, indicating that its activity may extend beyond Israel, although so far there are no known targets outside of Israel.
Mandiant said he was moderately confident the group is connected to Iran and found technical remains pointing to an Iranian connection, such as the use of Persian, including the word kodawhich means “God”.
The group appeared to pursue activities that would support Iranian interests and operations, including transport groups that handle sensitive components. The targeted targeting of Israeli entities was similar to that of other Iranian attackers.
“The shipping industry and the global supply chain are particularly vulnerable to disruption, especially in places where a low-level state of conflict already exists,” said John Hultquist, vice president of threat intelligence. at Mandiant, in a press release.
“It’s a reminder that global businesses face global threats. The cyber conflict between Iran and Israel threatens Israel and those who operate there,” he said.
The hacking group has been active since at least the end of 2020 and was still operating as of the middle of this year.
Mandiant dubbed the unnamed hacking group UNC3890, using the “UNC” designation for “uncategorized” groups.
UNC3890 used unique hacking tools and other publicly available tools, Mandiant said.
Some of these tools have targeted users of email providers Gmail, Yahoo, and Yandex, and others have spoofed legitimate sites such as Office 365, Facebook, and LinkedIn. There were also fake job postings that could be part of a phishing campaign.
Another angle of attack was to spread fake advertisements for “AI-driven robotic dolls” as a decoy to provide a tool to harvest a victim’s credentials. The dolls appeared to be sex dolls, the hacking group using the xxx-doll domain[.]com, among other domain names.
Some of the attack methods have not been used before by Iranian groups, while one of the UNC3890 methods was used by a team operated by the Islamic Revolutionary Guard Corps. Two of the methods appeared to be new malware belonging to the newly disclosed hacking group.
UNC3890 used social engineering decoys, an attack method that aims to trick people into the systems they use, and may have used a so-called waterhole attack, which sets a trap by infecting websites that its targets may visit. One of the group’s watering holes was the website of a legitimate Israeli shipping company, Mandiant said.
Iran and Israel have waged a shadow war for years across the Middle East. Israel regularly strikes Iran-linked targets in Syria to prevent arms deliveries to the Hezbollah terror group and to prevent Iran from gaining a foothold on Israel’s northern border. Iran has accused Israel of a series of attacks on its nuclear program, including the assassination of scientists and officials and the sabotage of nuclear facilities.
Iran funds anti-Israel terrorist groups Palestinian Islamic Jihad, Hezbollah and Hamas, and has targeted Israeli and Jewish targets abroad.
Israel and the United States accuse Iran of carrying out attacks on shipping in the region since 2019. Bordering Iran, the Persian Gulf and the Strait of Hormuz, which connects the gulf to the world’s oceans, hold some of the most important shipping lanes in the world. The massive amount of cargo being trafficked on the high seas in the region presents a difficult target for bad actors to defend.
The past year has seen a series of attacks on ships linked to Israel. In February 2021, an explosion hit the Israeli-owned MV Helios Ray, a Bahamian-flagged freighter, in the Gulf of Oman. Then-Prime Minister Benjamin Netanyahu accused Iran of attacking the ship. Iran quickly denied the accusation, but experts said the attack had characteristics of previous strikes attributed to Tehran.
Also in 2021, a drone attack hit an Israeli vessel off the coast of Oman, killing two European crew members. Another Israeli-owned ship was hit by a missile. Iran was suspected in both attacks.
Foreign reports around the same time stated that Israel targeted at least 12 ships bound for Syria, most of them carrying Iranian oil, while others targeted arms shipments. The attacks did not sink the tankers but forced at least two of the ships to return to port in Iran.
In the summer of 2019, as tensions rose between Washington and Tehran, the US military accused Iran of blowing up two oil tankers near the Strait of Hormuz.
Iran has also harassed and seized ships from other countries, including Greece, South Korea, the United Kingdom and Vietnam.