Israel may have become a target of cyber espionage in the hands of ‘UNC3890’ – the Iranian hacker group mainly which is targeting critical sectors in Israel, including energy, healthcare, shipping, and government systems. An American cybersecurity firm, Mandiant observed several attempts to hack into Israel’s systems email compromises, fake login pages, and phishing links. It is suspected that several critical data have been compromised, leading to security concerns.
UNC3890, the Persian-speaking cybercriminals used phishing attacks on unsuspecting officials, gaining access to sensitive and classified data. The use of Farsi words in the strings, such as ‘Khoda’, which means God, and ‘Yaal’, meaning horse’s mane, led to the suspicion that the group was connected to Iran. Analyzing the targets of Israel, it could be said that they are of strategic interest to Iran.
There have been reports of groups such as UNC757 and UNC2448 targeting industries in Israel. A heat-sensitive cargo shipping company was also targeted in cyber espionage against Israel. Besides monetary gains, access to military operations is suspected to be a reason behind this ongoing espionage campaign against Israel. Access to Israel’s healthcare, energy, shipping, government data, etc., with the help of the stolen login credentials, can lead generation to compromise of classified information, putting Israel and other countries at risk.
Iranian groups often choose the NorthStar C2 Framework used in this cyber espionage against Israel. Mandiant reported that most domains were hosted on the same infrastructure used by UNC3890. However, these observations are from 2020. Several socially engineered tactics were observed to target a broad range of users and extract as much intel as possible. CISA reported that Iran-backed cyber criminals attacked Microsoft Exchange and Fortinet on November 17, 2021.
The two unique tools for the cyber-attack were named SUGARUSH and SUGARDUMP. While SUGARUSH is the backdoor, SUGARDUMP steals credentials through Gmail, Yahoo and Yandex. The cybersecurity firm noted that the URL structure of the post request was “hxxps[:]//xn--lirkedin-vkb[.]com/object[.]php?browser=<user_browser>&ip=<user_ip>”. They also found that there were several other methods in which cyber espionage was carried out, such as spoofing LinkedIn and Facebook and showing fake advertisements for AI-based robotic dolls.
AI fraud, deepfake probes, SME cyber warnings, and ransomware cases highlight rising global risks in this week’s Cyber Express roundup.
French national bank authority confirmed a major data breach affecting 1.2 million bank accounts after a malicious actor stole credentials…
The real success of AI will not only depend on how powerful the technology becomes, but on how safely, fairly,…
Israel data breach totals two petabytes, with phishing up 35% and cyber influence attacks rising 170%, says Yossi Karadi.
The UMMC cyberattack halted surgeries, closed clinics statewide and triggered a federal probe into potential patient data exposure.
ESET researchers discovered PromptSpy, the first known Android malware to integrate generative AI directly into its execution flow, marking a…
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More