UNC3890 Iranian hacker activity primarily targets Israeli shipping, government, energy, healthcare organizations

Mandiant researchers disclosed details of the UNC3890 cluster of activity targeting Israeli shipping, government, energy, and healthcare organizations via social engineering lures and a potential watering hole over the last year. The company assesses with moderate confidence that the hacker is linked to Iran, which is significant given the intense focus on shipping and the ongoing naval conflict between Iran and Israel. 

“UNC3890 uses at least two unique tools: a backdoor which we named SUGARUSH, and a browser credential stealer, which exfiltrates stolen data via Gmail, Yahoo, and Yandex email services that we’ve named SUGARDUMP,” the company’s Israel Research Team, wrote in a blog post on Wednesday. “UNC3890 also uses multiple publicly available tools, such as the METASPLOIT framework and NorthStar C2.”

Additionally, Mandiant discovered UNC3890 operates an interconnected network of Command-and-Control (C2) servers. “The C2 servers host domains and fake login pages spoofing legitimate services such as Office 365, social networks such as LinkedIn and Facebook, as well as fake job offers and fake commercials for AI-based robotic dolls. We observed the C2 servers communicating with multiple targets, as well as with a watering hole that we believe was targeting the Israeli shipping sector, in particular entities that handle and ship sensitive components,” the post adds.

Though they focused on Israel, some of the entities targeted by UNC3890, especially in the shipping sector, are global companies. They said that the target is consistent with Iranian historical interest in these targets. Targeting patterns and lures indicate an attempt to disguise their activity as legitimate login activity and services, social network applications, and technology-related visual content.

Mandiant assesses with moderate confidence that UNC3890 conducts espionage and intelligence collection activity to support multiple Iranian interests and operations. “Targeting patterns indicate a strong interest in Israeli entities and organizations of various sectors, including government, shipping, energy, and healthcare. We observed several limited technical connections to Iran, such as PDB strings and Farsi language artifacts.”

The team also identified that the campaign has been active since at least late 2020 and is still ongoing as of mid-2022. Though it is regional, targeted entities include global companies. 

The researchers discovered several connections suggesting the activity is conducted by an Iran-nexus group. Some findings include the usage of Farsi words, as observed in strings left by the developers in the newest version of SUGARDUMP, for example ‘KHODA’ (the Farsi word for ‘God’) and ‘yaal’ (the Farsi word for a horse’s mane). They also identified focused targeting of Israeli entities and organizations, or organizations operating in Israel, consistent with other clusters of activity operated by Iranian threat actors, specifically UNC757.

“Usage of the same PDB path as another Iranian cluster of activity Mandiant tracks as UNC2448 (operated by the Iranian IRGC, according to public sources), publicly referred to in a U.S. government statement from November 17, 2021,” according to the researchers. “Several publications suggested that UNC2448 is linked to APT35/Charming Kitten cluster of activities, which according to several public sources is operated by the Iranian Islamic Revolutionary Guard Corps (IRGC). UNC2448 has been targeting Israeli entities as well, among other countries of interest to Iran.”

The Mandiant researchers also detected utilization of the NorthStar C2 Framework, a C2 framework preferred by other Iranian actors. “However, since it is a publicly available framework used by multiple threat actors, we consider this link circumstantial,” they added.

The researchers said that the UNC3890 used a potential watering hole hosted on a login page of a legitimate Israeli shipping company, which the hacker group likely compromised. The watering hole was active until November 2021, and upon entering the legitimate login page, the user would send a POST request with preliminary data about the logged user to an attacker-controlled non-ASCII Punycode domain.

“When we inspected the watering hole, it was already inactive, but it was most likely used to target clients and users of that Israeli shipping company, in particular, one’s shipping or handling heat-sensitive cargo (based on the nature of the compromised website),” the researchers revealed. “We have an additional indication of an attempted targeting of another major Israeli shipping company by UNC3890, which is consistent with the watering hole.”

Credentials harvesting by masquerading as legitimate services was another technique used by the UNC3890 group, as the researchers uncovered several domains resolving to UNC3890’s C2 servers. Some of the domains were masquerading as legitimate services and entities. UNC3890 may have used these domains to harvest credentials to legitimate services, send phishing lures, or mask their activity and blend in with expected network traffic.

The researchers also identified a UNC3890 server that hosted several ZIP files containing scraped contents of Facebook and Instagram accounts of legitimate individuals. These may have been targeted by UNC3890 or used as lures in a social engineering effort.

Another initial access technique used by the UNC3890 group included fake commercials for AI-based robotic dolls, which seek to target victims and provides for the usage of a video commercial for AI-based robotic dolls, used as a lure to deliver SUGARDUMP. “In addition, we observed UNC3890 usage of domains with similar themes such as naturaldolls[.]store (hosting a fake Outlook login page) and xxx-doll[.]com. In addition, UNC3890 infrastructure hosted a fake page for the alleged purchasing of robotic dolls, redirecting victims to an attacker controlled infrastructure,” the researchers added.

Mandiant uses the label ‘UNC’ or ‘uncategorized’ groups to refer to a cluster of intrusion activity that includes observable artifacts, such as adversary infrastructure, tools, and tradecraft that it is not yet ready to give a classification. Moreover, the company found no significant connections between UNC3890 and other clusters of activities that the company currently tracks and therefore sees it as a standalone group. 

UNC3890 utilization of legitimate or publicly available tools and their unique exfiltration method using Gmail, Yahoo, and Yandex email addresses may reflect their efforts to evade detection and bypass heuristics or network-based security measures.

Earlier this month, Mandiant detailed the ‘ROADSWEEP’ ransomware line and a Telegram persona that targeted the Albanian government in a politically motivated disruptive operation ahead of an Iranian opposition organization’s conference in late July. The activity is a geographic expansion of Iranian disruptive cyber operations conducted against a NATO member state, likely indicating an increased risk tolerance when employing disruptive tools against countries perceived to be working against Iranian interests.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.