A group with links to Iran has been conducting watering-hole attacks against Israeli transportation, logistics, and technology sectors over the last two years, an investigation has uncovered.

According to research by CrowdStrike released today, the cyber-espionage attacks were conducted by a state-sponsored advanced persistent threat (APT) named “Imperial Kitten” (aka Yellow Liderc, Tortoiseshell, TA456, and Crimson Sandstorm), which has previously targeted organizations in the Israeli maritime, transportation, and technology sectors. The group has suspected links to Iran’s Islamic Revolutionary Guard Corps.

The watering-hole attacks involve what CrowdStrike called “strategic web compromise,” where Imperial Kitten has infiltrated legitimate sites in order to redirect website visitors to attacker-controlled locations that phish personal information and credentials. The data is then sent to a hardcoded domain and used for follow-on attacks. The compromised websites were primarily Israeli.

Imperial Kitten targets specific victims, such as IT service providers, for data exfiltration via strategic Web compromise. However, in some instances, the adversary directly serves malware to victims from the watering hole, and has mounted email campaigns involving used malicious Microsoft Excel documents in phishing attacks as another piece of the campaign.

In the latter instance, the group actively uses scanning tools, stolen VPN credentials, and vulnerability exploits to gain access to their targets, then uses the PAExec utility for lateral movement, and finally leverages custom and open source malware for data exfiltration.