Suspected Iranian hackers, identified as the group Tortoiseshell, have targeted multiple shipping and logistics websites in Israel, aiming to gather user information. ClearSky, a Tel Aviv-based cybersecurity company, attributes these attacks to Tortoiseshell, which has been active since at least July 2018. The hackers employed a watering hole attack, compromising websites frequented by the target audience to inject malicious code.
The majority of the affected websites have removed the malicious code, but the attack raises concerns about the ongoing cyber conflict between Iran and Israel, with Iranian actors continually enhancing their capabilities.
The hackers used malicious JavaScript in their recent attack, collecting sensitive data such as IP addresses, screen resolutions, and the URLs of previously visited webpages. They also attempted to determine users’ computer language preferences to customize future attacks. The compromised websites, including SNY Cargo, Depolog, and SZM, were primarily hosted by the uPress hosting service, which was previously targeted by the Iranian group Emennet Pasargad in 2020, resulting in the defacement of thousands of Israeli sites.
The cyber conflict between Israel and Iran has intensified over the past two years, with Iranian state-sponsored actors steadily improving their cyber capabilities. While not as advanced as Russian or Chinese counterparts, Iranian hackers are known to exploit recently disclosed vulnerabilities and employ tailored tools against their targets.
Tortoiseshell, previously involved in supply chain attacks in Saudi Arabia, used the domain jquery-stack[.]online, which mimicked the legitimate JavaScript framework jQuery, to deceive website code checks. ClearSky researchers have observed similar tactics involving domain names impersonating jQuery in a previous Iranian campaign dating back to 2017, employing watering hole attacks.
