Tortoiseshell's Cross-Platform Espionage Targets Military and Defense Industries in US, UK, and Europe
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Malware,Spyware,Phishing
- Attack Complexity: Low
- Threat Risk: Low Impact/High Probability
Threat Overview
Tortoiseshell targeted military personnel and companies in the defense and aerospace industries, primarily in the United States and, to a lesser extent, the UK and Europe. The group used social engineering, phishing, and custom malware tools, including Syskit and a Liderc-like reconnaissance tool, to compromise and profile victims' systems. The campaign involved fake online personas, spoofed domains, and outsourced malware development to Tehran-based IT company Mahak Rayan Afraz (MRA), which has ties to the Islamic Revolutionary Guard Corps (IRGC).
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Defense | Verified |
| Sector | Journalists | Medium |
| Sector | Logistics | Medium |
| Sector | Aerospace | Verified |
| Sector | Healthcare | Medium |
| Region | United Kingdom | Verified |
| Region | United States | Verified |
Extracted IOCs
- 1st-smtp2go[.]email
- 2nd-smtp2go[.]email
- 3rd-smtp2go[.]email
- 4th-smtp2go[.]email
- accounts[.]cam
- activesessions[.]me
- adobes[.]software
- alhds[.]net
- apppure[.]cf
- bahri[.]site
- bbcnews[.]email
- bitly[.]cam
- biturl[.]cx
- brdcst[.]email
- careeronestop[.]site
- cc-security-inc[.]email
- ccsecurity-mail-inc[.]email
- ccsecurity-mail-inc[.]services
- citymyworkday[.]com
- cityofberkeley[.]support
- cnbcnews[.]email
- cnnnews[.]global
- codejquery-ui[.]com
- com-account-challenge[.]email
- comlogin[.]online
- comlogin[.]services
- com-signin-v2[.]email
- copyleft[.]today
- crisiswatchsupport[.]shop
- datacatch[.]xyz
- dayzim[.]org
- dh135[.]world
- dollrealdoll[.]com
- dollrealdoll[.]online
- entrust[.]work
- erictrumpfundation[.]com
- facebookservices[.]gq
- fblogin[.]me
- fileblade[.]ga
- findcareersatusbofa[.]com
- fiservcareers[.]com
- goodreads[.]rest
- googl[.]club
- gropinggo[.]com
- hex6mak5z98nubb9vpd6t36cydkncfci9im872qx6hjci2egx8irq3qyt9pj[.]online
- hike[.]studio
- hiremilitaryheroes[.]com
- hosted-microsoft[.]com
- iemail[.]today
- incognito[.]today
- infoga[.]cam
- iqtel[.]org
- irtreporter[.]com
- itieee[.]life
- itiee[.]life
- jessicamcgill[.]life
- jqueryui-code[.]com
- jumhuria[.]com
- kartick[.]net
- kaspersky[.]team
- linkgen[.]me
- linksbit[.]com
- linq[.]ink
- liveleak[.]cam
- liveuamap[.]live
- lockheedmartinjobs[.]us
- loginaccount[.]email
- logonexchangeonline[.]com
- logonmicrosoftonline[.]com
- lskjirn[.]life
- mail2go[.]live
- mail2go[.]online
- mail2u[.]live
- mailaccountlive[.]email
- mailaccountlive[.]support
- mailpublisher[.]live
- mails[.]center
- metacafe[.]live
- micorsoftonilne[.]com
- micorsoftonline[.]website
- micorsoftonline[.]xyz
- microsoftoffice[.]systems
- microsoftonilne[.]cloud
- mispace[.]cam
- msol[.]live
- msonline[.]live
- mssecurityaccount[.]online
- mydomainxyz[.]xyz
- newsl[.]ink
- news-smtp2go[.]email
- noreplay[.]email
- novafile[.]tk
- onpointcorp[.]co
- outlook-services[.]com
- outlookservices[.]live
- outlookservices[.]me
- outube[.]live
- pic-shareonline[.]com
- pixlr[.]live
- post-jquery[.]com
- prefiles[.]ml
- publicsgroupe[.]net
- pwutc[.]live
- rali[.]live
- recruitme[.]international
- robotics[.]land
- sabic[.]work
- sandsngo[.]com
- saudivisions2030[.]org
- securityaccountreply[.]com
- seery[.]online
- sendblaster[.]org
- shareae[.]cf
- shlink[.]run
- shlnk[.]run
- shortli[.]live
- short-l[.]link
- shrt[.]rip
- shur[.]live
- shurl[.]site
- site1[.]life
- smtp2go[.]best
- smtp2go[.]club
- smtp-2go[.]com
- smtp2go[.]email
- smtp2go[.]fun
- smtp2go[.]icu
- smtp2go[.]live
- smtp2go[.]me
- smtp2go[.]pw
- smtp2go[.]site
- smtp2go[.]space
- smtp2go[.]website
- smtper[.]center
- smtptogo[.]pw
- soc-usa[.]email
- soundcloud[.]fun
- soundcloud[.]live
- spreadme[.]international
- src-ymlang[.]link
- support-securitymail[.]email
- support-ymail-team[.]online
- surl[.]ist
- surl[.]live
- sxk8xrjtaikv3dxl7hgghw3vptvxpzzxeynrcltu4k3yeecjq3[.]online
- systembackend[.]site
- techmahindra[.]support
- teleweb[.]world
- tetra[.]email
- thegardian[.]ml
- thegaurdian[.]live
- thomsonsreuters[.]email
- thomsonsreuters[.]eu
- thomsonsreuters[.]link
- thomsonsreuters[.]net
- tinil[.]ink
- tinly[.]me
- tinylink[.]pro
- tinyurl[.]gold
- tiwpan[.]xyz
- tox[.]cheap
- treasury[.]email
- treporter[.]com
- trumphotel[.]net
- trumpnationallosangeles[.]email
- trumporganizations[.]com
- trumporganization[.]world
- tv-youtube[.]com
- uploaderfile[.]cf
- usdailypost[.]com
- usdailypost[.]net
- usdp[.]news
- vps[.]limited
- watch-youtube[.]com
- wikileaks[.]email
- workshopplatform[.]network
- xn--rumphotels-vcc[.]com
- xn--twitte-u9a[.]com
- xyzsitexyz[.]xyz
- ymail-account[.]support
- ymailaccounts[.]us
- ymail-security[.]support
- ymail-security-support[.]email
- ymailsupport[.]info
- zain[.]network
- pixlr.myftp[.]org
- sender.gb[.]net
Tip: 187 related IOCs (0 IP, 187 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.
Overlaps
TortoiseshellTortoiseshell Targets U.S. Military Veterans with Malicious Job Seeking Website
Source: Cisco Talos - September 2019
Detection (two cases): hiremilitaryheroes[.]com, spreadme[.]international
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.