New Tortoiseshell hacking group is targeting IT providers

19 Sep 2019

Image: © Mihal Simonia/

Symantec researchers have highlighted that a new, previously undocumented hacking group is infiltrating IT providers.

Cybersecurity firm Symantec has identified a previously undocumented hacking group that is going after IT providers in the Middle East in what appear to be supply chain attacks “with the end goal of compromising the IT providers’ customers”.

The group, which Symantec has dubbed ‘Tortoiseshell’, has been active since at least July 2018, according to the firm, and has struck as recently as July 2019. The company has identified a total of 11 organisations hit by the group, the bulk of which are based in Saudi Arabia. Evidence currently suggests that in the case of two of the organisations, the hackers were able to infiltrate domain admin-level access.

The new group are using a combination of custom-built and off-the-shelf malware. Symantec notes that the group infected “several hundred” computers, which is regarded as an unusually large number of computers to be compromised. “It is possible that the attackers were forced to infect many machines before finding those that were most of interest to them”.

‘Unique component’

Tortoiseshell uses a number of publicly available tools to run commands on infected machines and gather information before compressing that information and transferring it to a remote directory. It also used a number of other dumping tools and PowerShell backdoors.

What is interesting about the group, however, is its use of a custom-built tool called Backdoor.Syskit. It is a basic backdoor that can execute additional tools and commands and has been developed in both Delphi and .NET.

The backdoor installs itself and then harvests information about the infected machine’s IP address, operating system name and version and Mac address, sending it to the command and control server.

Researchers also noted the presence of some tools associated with a group known as APT34, also called ‘Oilrig’.

Supply chain attacks

Targeting IT providers indicates that these attacks are supply chain attacks likely designed to gain access to the networks of some of the IT providers’ customers. Supply chain attacks have become an increasingly popular mode of attack for threat actors and increased as much as 78pc in 2018, according to previous research by Symantec.

“IT providers are an ideal target for attackers given their high level of access to their clients’ computers. This access may give them the ability to send malicious software updates to target machines, and may even provide them with remote access to customer machines,” the research team explained.

“This provides access to the victims’ networks without having to compromise the networks themselves, which might not be possible if the intended victims have strong security infrastructure, and also reduces the risk of the attack being discovered. The targeting of a third-party service provider also makes it harder to pinpoint who the attackers’ true intended targets were.”

Eva Short was a journalist at Silicon Republic