From a65bb60d90eb2e78200fdede8f7ee0c57802eb78 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Fri, 3 Nov 2023 19:02:12 +0100
Subject: [PATCH] [threat-actors] Add UNC3890

---
 clusters/threat-actor.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c351b8ac..078b2326 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -12357,6 +12357,18 @@
       },
       "uuid": "ce793b99-0cf2-4148-831c-ea5f6a9e0a76",
       "value": "Carderbee"
+    },
+    {
+      "description": "A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations, in a campaign stretching back to late 2020. Researchers believe that the data harvested during the campaign could be used to support various activities. UNC3890, the threat actor behind the attacks, deployed two proprietary pieces of malware – a backdoor named “SUGARUSH” and a browser credential stealer called “SUGARDUMP”, which exfiltrates password information to email addresses registered with Gmail, ProtonMail, Yahoo and Yandex email services. The threat actor also employs a network of C&C servers that host fake login pages impersonating legitimate platforms such as Office 365, LinkedIn and Facebook. These servers are designed to communicate with the targets and also with a watering hole hosted on the login page of a legitimate Israeli shipping company.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/",
+          "https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping"
+        ]
+      },
+      "uuid": "27e11cc5-1688-4aea-a98d-96e6c275d005",
+      "value": "UNC3890"
     }
   ],
   "version": 289