Researchers at Symantec have identified a previously undocumented attack group known as “Tortoiseshell.” The group is said to have been using off-the-shelf and custom malware to target supply chain of IT vendors in Saudi Arabia.
The group has been active since the year 2018, although there’s always the possibility that the group has been active for a much longer time. Currently, 11 organizations have been identified to have been compromised by the group, with their most recent activity attributed to just two months back, in July ’19, with strong evidence suggesting that at least in 2 cases, they were able to gain admin access, placing High Level data at risk.
With this, hundreds of computers linked with these networks have also been compromised and infected with malware, likely cause of which, researchers say was to locate computers of interest to them.
Once the Tortoiseshell is deployed on the victim’s computer, it uses Trojans like Syskit. And also deploys tools to gather information which includes IP configuration of the systems, which applications are running on it, system and network information etc. It is also able to execute commands via Command Prompt.
It is still unclear how they infect targets, but it is believed that attackers usually gain access by compromising web servers, the assumption of which is based on web-shell discovered for one victim.
In one of the victims, a tool called Poison Frog was deployed, a backdoor variant. It was leaked to the public in April ’19 and had been deployed a month porior to Tortoiseshell. It is termed as being another variant of BondUpdater, used in attacks in the Middle East. Posion Frog has been associated with the group known as APT34, aka OilRig, but it is unclear whether both Tortoiseshell and Posion Frog were deployed by the same actor. OilRig has been linked to Iranian Government.
IT providers seem attractive to clients since they offer high-level access to client’s computers. With Supply chain attacks gaining momentum, with a 78% increase in 2018, as identified in Symantec’s Internet Security Threat Report (ISTR) 24.
Such attacks are able to exploit software and services by hijacking and injecting updates and codes via software that seems legitimate at first, but in reality, can are hacker tools.
Since IT Vendors has access to client’s computers, this gives them an added advantage to target machines by sending malicious software and even link through remote access with customer machines, reducing the threat of even being discovered, since the attack has been initiated through IT vendors platform.
However, researchers currently have no evidence which allows Symantec to link Tortoiseshell’s activity with any existing known group or nation state.