At a glance.
- Iran suspected of cyber operations against four Israeli sectors.
- Wipers as a tool in hybrid war.
- A scorecard for Russian cyber ops during the special military operation.
- Cyber war clauses coming to cyber insurance policies.
- BlackByte is back, and calling itself BlackByte 2.0.
Iran suspected of cyber operations against four Israeli sectors.
Mandiant reports that UNC3890, "a cluster of activity targeting Israeli shipping, government, energy and healthcare organizations via social engineering lures and a potential watering hole," is playing a role in the low-level naval conflict currently observed between Iran and Israel. The attribution of UNC3890 to Iran is in part circumstantial, but Mandiant advances that attribution with "moderate confidence." The evidence falls into four categories:
- Linguistic. UNC3890 developers use Farsi words in their strings.
- Targeting. A focus on Israeli targets is consistent with Iranian interests.
- Program database (PDB) path. This is the same as has been observed in activity by UNC2448, attributed to the Islamic Revolutionary Guard Corps (IRGC), which itself is linked to APT35 (Charming Kitten).
- C2 framework. UNC3890 uses the NorthStar C2 Framework, which has been an Iranian favorite.
The threat actor's initial approach has typically been via social engineering. Its interests seem so far to have involved intelligence collection, but this could be used in subsequent operations that go beyond espionage. "While we believe this actor is focused on intelligence collection," Mandiant says, "the collected data may be leveraged to support various activities, from hack-and-leak, to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years."