Iranian-sponsored UNC3890 group attacks Israeli entities

Iranian Hackers UNC3890 Threat Group Israel Cybercrime Social Engineering Watering Holes Credential Harvesting

Researchers have actively monitored the Iranian threat group UNC3890 after deploying several cybercriminal activities against Israel’s critical organisations. These threat actors from Iran have targeted Israel’s healthcare, shipping, and energy sector.

According to researchers, these Iranian-backed malicious threat actors were first seen a couple of years ago and continue to this day. The group’s illegal activities use social engineering tactics such as baits and watering hole campaigns.

The group also targets numerous entities worldwide. However, the group always targets the shipping industry if given a chance. The threat group’s objective is to collect sensitive information that can support their actions, like operating a hack-and-leak and kinetic warfare campaign.


The UNC3890 threat group’s attack strategy revolves around two methods.


The Iranian-backed UNC3890 threat group commonly starts their attack through credential harvesting and watering holes. The threat actors’ command-and-control servers are observed to obfuscate themselves as authentic service to harvest credentials and distribute phishing baits.

The servers also contain fake login in pages and domain pages that impersonates genuine services such as Facebook, LinkedIn, and Microsoft Office 365 to disseminate advertisements and phoney job offers.

UNC3890’s server is loaded with scraped Instagram and Facebook information they could utilise for social engineering campaigns. They are also leveraging several tools and tricks for their attack campaigns.

One example of the strategy is the use of phishing lure through an [.]xls file endorsed as a job opportunity. The fake job offers are sent by threat actors to install Sugardump, a unique tool utilised for credential harvesting.

Sugarush is another malicious tool used by the group. It is a backdoor for establishing persistence and connection with the C2 server and running their CMD commands. There are also tools such as the Unicorn used by the attackers to perform PowerShell downgrade attacks and inject a shell code.

UNC3890’s focus on targeting Israeli-based entities indicates that it is dedicated to taking down the country’s workflow. Therefore, Israeli organisations should have multi-layered security to mitigate and keep these Iranian hackers at bay.

About the author

Leave a Reply