A hacking group that appears to be linked to Iran has been targeting Israeli shipping in recent years, as the shadow war between Israel and Iran began to play out at sea after mainly being waged on land and in the air, a leading US cybersecurity firm said Wednesday.
The hacking group focused on collecting intelligence from Israeli entities and has also targeted Israeli government, energy and health care organizations, said the Virginia-based cybersecurity firm Mandiant.
The cybersecurity group warned that intelligence and data the hackers obtained could be leveraged for nefarious activities, such as becoming fodder for damaging leaks or guiding direct military action. It wasn’t clear how successful the hackers had been in their attacks.
The hacking group has also targeted some global companies, indicating its activity may go beyond Israel, although there is no known target outside Israel so far.
Mandiant said it was moderately confident that the group is linked to Iran and has found some technical remnants pointing to an Iranian link, such as the use of Persian, including the word khoda, which means “God.”
Get The Times of Israel's Daily Edition by email and never miss our top stories
The group appeared to pursue activities that would support Iranian interests and operations, including shipping groups that handle sensitive components. The focused targeting of Israeli entities was similar to that of other Iranian attackers.
“The shipping industry and the global supply chain are particularly vulnerable to disruption, especially in places where a state of low-level conflict already exists,” John Hultquist, the vice president of threat intelligence at Mandiant, said in a statement.
“This is a reminder that global companies face global threats. Iran’s cyberconflict with Israel threatens Israel and those who operate there,” he said.
The hacking group has been active since at least late 2020, and was still operating as of the middle of this year.
Mandiant dubbed the unnamed hacking group UNC3890, using the “UNC” designation for “uncategorized” groups.
UNC3890 has used some unique hacking tools and other publicly available tools, Mandiant said.
Some of the tools have targeted users on the Gmail, Yahoo and Yandex email providers, and others spoofed legitimate sites such as Office 365, Facebook and LinkedIn. There were also fake job offers that may have been part of a phishing campaign.
In this Wednesday, April 15, 2020, photo made available by US Navy, Iranian Revolutionary Guard vessels sail close to US military ships in the Persian Gulf near Kuwait. (US Navy via AP)
Another angle of attack was running fake commercials for “AI-driven robotic dolls” as a lure to deliver a tool for harvesting a victim’s credentials. The dolls appeared to be sex dolls, with the hacking group using the domain xxx-doll[.]com, among other domain names.
Some of the attack methods have not been previously used by Iranian groups, while one of UNC3890’s methods was used by an outfit operated by the Islamic Revolutionary Guards Corps. Two of the methods appeared to be new pieces of malware proprietary to the newly disclosed hacking group.
UNC3890 has used social engineering lures, an attack method that aims to trick people to break into the systems they use, and may have used a so-called watering hole attack, which sets a trap by infecting websites that its targets may visit. One of the group’s watering holes was the website of a legitimate Israeli shipping company, Mandiant said.
Iran and Israel have waged a shadow war for years across the Middle East. Israel regularly strikes Iran-linked targets in Syria to prevent weapons shipments to the Hezbollah terror group and to block Iran from gaining a foothold on Israel’s northern border. Iran has accused Israel of a series of attacks against its nuclear program, including assassinations of scientists and officials and sabotage at nuclear facilities.
Iran funds the anti-Israel terror groups Palestinian Islamic Jihad, Hezbollah and Hamas, and has targeted Israeli and Jewish targets abroad.
Israel and the US have accused Iran of carrying out attacks against shipping in the region since 2019. Bordering Iran, the Persian Gulf and the Strait of Hormuz, which connects the Gulf to the world’s oceans, hold some of the world’s most significant shipping lanes. The massive amount of cargo that is trafficked in the area’s open seas presents a target for bad actors that is difficult to defend.
Last year saw a series of attacks against Israel-linked ships. In February 2021, a blast struck the Israeli-owned MV Helios Ray, a Bahamian-flagged cargo ship, in the Gulf of Oman. Then-prime minister Benjamin Netanyahu accused Iran of attacking the ship. Iran swiftly denied the charge, but experts said the attack had the hallmarks of previous strikes ascribed to Tehran.
Also in 2021, a drone attack hit an Israeli-operated ship off the coast of Oman, killing two European crew members. Another Israeli-owned ship was hit by a missile. Iran was suspected in both attacks.
Foreign reports from around the same time said Israel targeted at least 12 ships bound for Syria, most of them transporting Iranian oil, while others targeted weapons shipments. The attacks did not sink the tankers but forced at least two of the vessels to return to port in Iran.
In the tense summer of 2019, as tensions spiked between Washington and Tehran, the US military blamed Iran for explosions on two oil tankers near the Strait of Hormuz.
Iran has also harassed and seized ships from other countries, including Greece, South Korea, the UK and Vietnam.
