Cybersecurity: New hacking group targets IT companies in first stage of supply chain attacks

'Tortoiseshell' hacking group is identified by a custom form of malware, say researchs - and new the campaign isn't currently thought to be linked to any other cyber operations.
Written by Danny Palmer, Senior Writer

A hacking operation is targeting IT providers with malware in what's thought to be the opening stage of supply chain attacks with the ultimate goal of compromising customer organisations.

Dubbed Tortoiseshell, the hacking group uses a combination of custom and off-the-shelf malware - and isn't currently thought to have any relation to activity by criminals or nation-state backed espionage campaigns. The previously undocumented campaign has been uncovered and detailed by security researchers at Symantec.

Tortoiseshell has been active since at least July 2018. In that time, researchers say the group has targeted at least 11 IT providers, most of which are based in Saudi Arabia. Evidence suggests that the attackers gained domain admin level access to at least two of the organisations, enabling them to gain access to all machines on the network.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

In two of the attacks, researchers found that hundreds of computers were compromised with malware, indicating that the attackers were simply infecting all the machines they could throughout the organisations in order to find key targets.

The most recently recorded activity from Tortoiseshell was in July 2019, with attacks by the group identified by a unique custom payload: Backdoor.Syskit.

This malware is built in both Delphi and .NET programming languages and secretly opens an initial backdoor onto compromised computers, allowing attackers to collect information including the IP address, the operating system version and the computer name.

Syskit can also download and execute additional tools and commands, and Tortoiseshell attacks also deploy several publicly available tools as information stealers to gather data on user activity.

While it remains uncertain how the malware is delivered, researchers suggest that it could potentially be distributed via a compromised web server, because in one instance the first indication of malware on the network was a compromised web shell – something that can provide an easy way into a targeted network.

"Compromising a web server, with a likely old exploit, can be a simpler approach than using e-mail. The alternative of using a phishing e-mail to compromise the victim generally required the attacker to have at least some knowledge of the email recipient in order to customize the email to that individual," Gavin O'Gorman, an investigator in the Symantec security response team, told ZDNet.

With the campaign focused on IT companies, researchers believe these attacks are the first stage of a supply chain attack and the hackers are looking to compromise the IT suppliers as a stepping stone to their customers' networks.

Attackers engaging in supply chain attacks use a number of methods to compromise their final target, including distributing software updates containing malicious code. The high level of access that IT companies have to client networks makes them an appealing target for hackers.

SEE: This new cryptojacking malware uses a sneaky trick to remain hidden

Such is the interest in the targeted organisations that Symantec found evidence that some had previously been targeted using leaked tools associated with APT 34 – also known as Oilrig and Helix Kitten – a hacking operation with links to the Iranian government. However, researchers believe this activity isn't related to Tortoiseshell, but is rather an indication of the interest many attack groups have in Saudi Arabia and the wider Middle East.

"Saudi Arabian organizations have been the target of several hacking groups for several years now," said O'Gorman. "There are no signs that this targeting of Saudi Arabian organizations will decrease."

The organisations which have been targeted by Tortoiseshell have been informed about the attacks and are working with Symantec to protect their networks. It's believed that Tortoiseshell is still active and will continue to target organisations in the region with updated attacks.


Editorial standards