C0010 C0010
C0010 was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. C0010 began by at least late 2020, and was still ongoing as of mid-2022.
| Item |
Value |
| ID |
C0010 |
| Associated Names |
|
| First Seen |
December 2020 |
| Last Seen |
August 2022 |
| Version |
1.0 |
| Created |
21 September 2022 |
| Last Modified |
04 October 2022 |
| Navigation Layer |
View In ATT&CK® Navigator |
Techniques Used
| Domain |
ID |
Name |
Use |
| enterprise |
T1583 |
Acquire Infrastructure |
- |
| enterprise |
T1583.001 |
Domains |
For C0010, UNC3890 actors established domains that appeared to be legitimate services and entities, such as LinkedIn, Facebook, Office 365, and Pfizer. |
| enterprise |
T1584 |
Compromise Infrastructure |
- |
| enterprise |
T1584.001 |
Domains |
During C0010, UNC3890 actors likely compromised the domain of a legitimate Israeli shipping company. |
| enterprise |
T1587 |
Develop Capabilities |
- |
| enterprise |
T1587.001 |
Malware |
For C0010, UNC3890 actors used unique malware, including SUGARUSH and SUGARDUMP. |
| enterprise |
T1189 |
Drive-by Compromise |
During C0010, UNC3890 actors likely established a watering hole that was hosted on a login page of a legitimate Israeli shipping company that was active until at least November 2021. |
| enterprise |
T1105 |
Ingress Tool Transfer |
During C0010, UNC3890 actors downloaded tools and malware onto a compromised host. |
| enterprise |
T1588 |
Obtain Capabilities |
- |
| enterprise |
T1588.002 |
Tool |
For C0010, UNC3890 actors obtained multiple publicly-available tools, including METASPLOIT, UNICORN, and NorthStar C2. |
| enterprise |
T1608 |
Stage Capabilities |
- |
| enterprise |
T1608.001 |
Upload Malware |
For C0010, UNC3890 actors staged malware on their infrastructure for direct download onto a compromised system. |
| enterprise |
T1608.002 |
Upload Tool |
For C0010, UNC3890 actors staged tools on their infrastructure to download directly onto a compromised system. |
| enterprise |
T1608.004 |
Drive-by Target |
For C0010, the threat actors compromised the login page of a legitimate Israeli shipping company and likely established a watering hole that collected visitor information. |
Software
References