Israel may have become a target of cyber espionage in the hands of ‘UNC3890’ – the Iranian hacker group mainly which is targeting critical sectors in Israel, including energy, healthcare, shipping, and government systems. An American cybersecurity firm, Mandiant observed several attempts to hack into Israel’s systems email compromises, fake login pages, and phishing links. It is suspected that several critical data have been compromised, leading to security concerns.
Persian words lead to suspicion against Iran
UNC3890, the Persian-speaking cybercriminals used phishing attacks on unsuspecting officials, gaining access to sensitive and classified data. The use of Farsi words in the strings, such as ‘Khoda’, which means God, and ‘Yaal’, meaning horse’s mane, led to the suspicion that the group was connected to Iran. Analyzing the targets of Israel, it could be said that they are of strategic interest to Iran.
Specific companies targeted
There have been reports of groups such as UNC757 and UNC2448 targeting industries in Israel. A heat-sensitive cargo shipping company was also targeted in cyber espionage against Israel. Besides monetary gains, access to military operations is suspected to be a reason behind this ongoing espionage campaign against Israel. Access to Israel’s healthcare, energy, shipping, government data, etc., with the help of the stolen login credentials, can lead generation to compromise of classified information, putting Israel and other countries at risk.
Proofs lead to suspicion of Iran
Iranian groups often choose the NorthStar C2 Framework used in this cyber espionage against Israel. Mandiant reported that most domains were hosted on the same infrastructure used by UNC3890. However, these observations are from 2020. Several socially engineered tactics were observed to target a broad range of users and extract as much intel as possible. CISA reported that Iran-backed cyber criminals attacked Microsoft Exchange and Fortinet on November 17, 2021.
SUGARUSH and SUGARDUMP
The two unique tools for the cyber-attack were named SUGARUSH and SUGARDUMP. While SUGARUSH is the backdoor, SUGARDUMP steals credentials through Gmail, Yahoo and Yandex. The cybersecurity firm noted that the URL structure of the post request was “hxxps[:]//xn--lirkedin-vkb[.]com/object[.]php?browser=<user_browser>&ip=<user_ip>”. They also found that there were several other methods in which cyber espionage was carried out, such as spoofing LinkedIn and Facebook and showing fake advertisements for AI-based robotic dolls.