Cyber Incident Victim: SNY Cargo

On or around April 18, 2023, a cybersecurity incident targeting Israeli shipping and logistics companies was identified. The incident was discovered and reported by Tel Aviv-based cybersecurity company ClearSky. The attack was characterized as a watering hole campaign, a method wherein attackers compromise a website frequently visited by a specific target group to infect its users. In this case, the target group consisted of individuals associated with the Israeli shipping and logistics sector. The malicious activity was injected into at least eight Israeli websites, including the sites for shipping company SNY Cargo, logistics firm Depolog, and restaurant equipment supplier SZM. By the date of discovery, April 18, the majority of the compromised websites had already been cleared of the malicious code by their respective owners or administrators, indicating that the initial compromise and the period of malicious activity occurred prior to this date.

The threat actor responsible for this campaign was attributed by ClearSky, though with low confidence, to the Iranian nation-state group known as Tortoiseshell. This group is also tracked under the aliases TA456 and Imperial Kitten, and has been documented as active since at least July 2018. The attack methodology employed was a malicious JavaScript code injected into the targeted websites. The primary function of this code was to gather specific information from users visiting the compromised sites. The data collected included the user's IP address, their screen resolution, and the URL of the webpage they visited immediately prior to arriving at the hacked site. Furthermore, the malicious script attempted to determine the user’s computer language preference. This type of information gathering is typically used for reconnaissance and intelligence purposes, allowing attackers to profile potential targets and customize future attacks with greater precision, such as by crafting phishing lures in the target's preferred language.

A specific technical indicator used in this attack was the domain jquery-stack[.]online. This domain was designed to impersonate the legitimate and widely used JavaScript framework, jQuery. The malicious JavaScript code on the compromised websites would call out to this domain, which was under the control of the attackers. The use of this domain was a deliberate deception tactic aimed at blending in with legitimate web traffic and avoiding detection by anyone who might inspect the website's source code. This particular domain had been previously attributed to the Tortoiseshell group in earlier campaigns, which provided a basis for the low-confidence attribution to this Iranian actor. The tactic of using domains that impersonate common software libraries like jQuery is not new for Iranian threat actors; ClearSky researchers noted observing similar domain names being used in a previous Iranian campaign dating back to 2017 that also utilized watering hole attacks.

The impact of this incident was the successful exfiltration of user data from the visitors of the compromised websites. While the exact number of affected individuals is not specified in the reporting, the fact that multiple companies were targeted suggests a broad campaign aimed at collecting intelligence on a sector of strategic interest. The consequences for the compromised companies themselves included the need to identify and remove the malicious code from their web properties to protect their users and restore the integrity of their online presence. The quick action to clean most sites by April 18 limited the window of data collection, potentially mitigating the overall impact of the breach.

The attack also highlighted a recurring vulnerability associated with specific web hosting infrastructure. The report noted that the majority of the compromised websites were utilizing the uPress hosting service. This same service had been previously targeted in 2020 by another Iranian group, Emennet Pasargad. In that earlier incident, the compromise resulted in the defacement of thousands of Israeli websites, indicating that this hosting platform has been a persistent target for Iranian cyber operations. This pattern suggests that threat actors often revisit previously exploited vulnerabilities or attack vectors, especially those that have proven successful in the past.

The incident fits within the broader context of ongoing cyber tensions between Iran and Israel. The two nations are frequently engaged in covert cyber operations against one another, driven by longstanding political and geopolitical tensions. Iranian state-sponsored attacks against Israeli targets have various objectives, including espionage and data theft, destruction of systems, and the spread of disinformation. While Iranian groups are generally assessed to be less advanced than their Russian or Chinese counterparts, they have demonstrated an increasing capability and a tendency to rapidly exploit newly disclosed software vulnerabilities to breach target organizations. The Tortoiseshell group itself has a history of sophisticated attacks, including previously executing a supply chain attack against IT providers in Saudi Arabia, using both custom and commercially available malware to ultimately target the providers' customers.

The response to the incident involved the affected companies taking corrective action to cleanse their websites of the malicious code. The role of ClearSky was pivotal in discovering the campaign and publicizing its findings to inform the wider cybersecurity community. Their report provided technical details and attribution assessments that help other organizations defend against similar tactics. The use of a known malicious domain linked to a specific threat actor allowed for the deployment of defensive measures, such as network monitoring and blocking of the identified domain, to prevent further data leakage. The incident serves as another data point in the evolution of Iranian cyber threats, demonstrating their continued use of proven techniques like watering hole attacks against strategic economic sectors.