SYMBOLCOMMON_NAMEaka. SYNONYMS

UNC3890  (Back to overview)


A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations, in a campaign stretching back to late 2020. Researchers believe that the data harvested during the campaign could be used to support various activities. UNC3890, the threat actor behind the attacks, deployed two proprietary pieces of malware – a backdoor named “SUGARUSH” and a browser credential stealer called “SUGARDUMP”, which exfiltrates password information to email addresses registered with Gmail, ProtonMail, Yahoo and Yandex email services. The threat actor also employs a network of C&C servers that host fake login pages impersonating legitimate platforms such as Office 365, LinkedIn and Facebook. These servers are designed to communicate with the targets and also with a watering hole hosted on the login page of a legitimate Israeli shipping company.


Associated Families

There are currently no families associated with this actor.


References
2023-03-24Kaspersky LabsKaspersky Lab ICS CERT
APT attacks on industrial organizations in H2 2022
Earth Longzhi Storm-0530 UNC3890
2022-08-17MandiantMandiant Israel Research Team
Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors
NorthStar SUGARDUMP SUGARRUSH UNC3890

Credits: MISP Project