Saudi IT Providers Hit in Cyber Espionage Operation (Sep 18, 2019)
Symantec has identified a previously unknown threat group, dubbed “Tortoiseshell,” that targeted IT providers as an early stage of a supply chain attack operation. The researchers found the group had targeted 11 IT providers, mostly in Saudi Arabia, since mid 2018, and do not believe the group has ties to previously identified nation-state espionage campaigns or existing cybercrime operations. While the initial attack vector is unknown, at least one of the victims may have been hit via a compromised web server, which was likely used to deploy malware onto the network. Tortoiseshell uses a custom backdoor malware to steal details about the victim machine, including applications, IP configurations, network connections, and system information.
Recommendation: Threat actors are willing to go to great lengths to abuse trust relationships in supply chain attacks. Supply Chain attacks are becoming more frequent amongst threat actors as their Tactics, Techniques, and Procedures (TTPs) evolve. Therefore, it is paramount that all applications in use by your company are properly maintained and monitored for potential unusual activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.