TortoiseShell Group Compromises IT Providers in the Middle East

Delaware, USA – September 18, 2019 – Another young hacking group hacks IT providers in the Middle East to prepare supply chain attacks. Symantec’s researchers have revealed the activity of the group, which they called Tortoiseshell, operating since last July. During this time, attackers compromised at least 11 IT providers, most of their targets are located in Saudi Arabia. The most likely network penetration scenario is a web server compromise, from where adversaries infect other systems with a custom backdoor. The main tool of the group is Syskit malware written in Delphi and .NET programming languages. Once in the system, the malware collects system information and sends it to the command-and-control server. Tortoiseshell uses Syskit malware to execute commands using cmd.exe and deliver publicly available tools, including PowerShell backdoors and dumping tools. In two cases, researchers discovered hundreds of infected systems in the organizations. The adversaries seemed to be looking for important systems on the off-chance and then did not take care to cover their tracks.
Researchers were not able to get the list of clients of hacked IT providers, so it is not known which companies were to become the primary targets in these supply chain attacks. It is also impossible to pinpoint whether this is a new threat actor or it is a campaign of one of the many APT groups operating in that region. Similar supply chain attacks are conducted by the Hexane group, compromising telecoms to attacks oil and gas companies in Kuwait. You can use Web Application Security Framework rule pack to spot malicious activity, web application misuse, and breach attempts: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight