Mandiant has been tracking an activity cluster from what it believes is a single Iranian threat group that has been targeting Israeli interests, especially the shipping industry.
The activity was first noted in late 2020 and is ongoing in mid-2022. Mandiant has named the group UNC3890.
Although the group’s targeting is regionally focused on Israel, some of the targets are global organizations – meaning there could be a ripple effect across other regions. The primary targets are government, shipping, energy, aviation and healthcare sectors.
UNC3890’s initial access has been via watering holes and credential harvesting. The latter used the group’s C2 servers masquerading as legitimate services to harvest credentials and send phishing lures.
The servers host domains and fake login pages spoofing legitimate services such as Office 365, social networks such as LinkedIn and Facebook, and deliver fake job offers and fake commercials.
The researchers also found a UNC3890 server containing scraped Facebook and Instagram details that could have been used in social engineering attacks.
