Since last year, Mandiant is tracking a cluster of activities targeting the Israeli government, energy, healthcare, and shipping sectors. These activities are linked to a threat group named UNC3890.

Iran’s attack on Israeli networks

UNC3890 is believed to be an Iranian threat group, whose activities were first spotted in late 2020 and continued until mid-2022. The group uses social engineering lures, along with watering hole attacks.
  • While it is primarily focused on Israel, some of its targets are global entities, mostly from the shipping industry.
  • The threat group aims for intelligence collection, which may be used to support different actions, such as performing hack-and-leak and kinetic warfare attacks.

Tactics employed by hackers

UNC3890’s initial access is usually via watering holes and credential harvesting. 
  • The group’s C2 servers masquerade as genuine services to collect credentials and send phishing lures.
  • The servers host domains and fake login pages spoofing genuine services such as Office 365, and social networks (LinkedIn and Facebook) to spread fake job offers and commercials. 
  • Additionally, the researchers have discovered a UNC3890 server loaded with scraped Facebook and Instagram information that could employ in social engineering attacks.

Tools in use

In addition to the above mention attack lures, UNC3890 was observed leveraging several tools and tactics for its attack campaigns. 
  • One phishing lure used by the attackers is believed to be a .xls file masked as a job offer yet designed to install Sugardump (three versions found), a unique tool known to be used for credential harvesting. 
  • Another tool is Sugarush, a backdoor for establishing a connection with C2 and executing CMD commands. 
  • Other tools are Unicorn, a tool for performing PowerShell downgrade attacks and injecting a shellcode, Metasploit, and Northstar C2 (an open-source C2 framework for penetration testing).

Stay safe

The focus on Israel-based targets and the attack tactics indicates that UNC3890 is a dedicated Iranian threat group. Organizations are suggested to have multi-layered security in place to stay protected and deploy intelligent and automated solutions.
Cyware Publisher