Threats Feed|Tortoiseshell|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date18/09/2019

Tortoiseshell Group Targets IT Providers in Saudi Arabia: Supply Chain Attacks Uncovered

  • Actor Motivations: Espionage,Exfiltration,Sabotage
  • Attack Vectors: Code injection,Malware,Supply Chain Compromise
  • Attack Complexity: High
  • Threat Risk: High Impact/Low Probability

Threat Overview

The Tortoiseshell group has targeted IT providers in Saudi Arabia since at least July 2018, focusing on supply chain attacks to compromise the IT providers' customers. The group deployed both custom and off-the-shelf malware, infecting an unusually large number of computers in targeted attacks. The custom malware, Backdoor.Syskit allowed for downloading and executing additional tools and commands. The attackers used various information-gathering tools, achieving domain admin-level access on at least two organizations, and it is suspected they compromised a web server to deploy malware onto the network.

Reference and Credit: Symantec - September 2019

Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks

Detected Targets

TypeDescriptionConfidence
SectorInformation Technology
Verified
RegionSaudi Arabia
Verified

Extracted IOCs

  • 02a3296238a3d127a2e517f4949d31914c15d96726fb4902322c065153b364b2
  • 07d123364d8d04e3fe0bfa4e0e23ddc7050ef039602ecd72baed70e6553c3ae4
  • f71732f997c53fa45eef5c988697eb4aa62c8655d8f0be3268636fc23addd193
  • 64[.]235.39.45
  • 64[.]235.60.123
download

Tip: 5 related IOCs (2 IP, 0 domain, 0 URL, 0 email, 3 file hash) to this threat have been found.

About Affiliation
Tortoiseshell
View Tortoiseshell's Insights