Saudi IT Providers Hit in Cyber Espionage Operation

Saudi IT Providers Hit in Cyber Espionage Operation
Symantec identifies new 'Tortoiseshell' nation-state group as the attackers.

In what appears to be a coordinated and targeted cyber espionage campaign, the networks of several major IT providers in Saudi Arabia were attacked in the past year as a stepping-stone to the attackers' ultimate targets in that region.


Researchers at Symantec say the attackers have been operating since July 2018 and appear to be a previously unidentified threat group, which Symantec has christened Tortoiseshell. The group infiltrated at least 11 organizations, mostly in Saudi Arabia and including large IT providers, employing both off-the-shelf tools and its own custom attack malware. And in two of the infected organizations, the attackers obtained domain-level administrative access, so the attackers had access to all machines on those networks.


The researchers say Tortoiseshell does not appear to be related to any existing groups in the Middle East. But one of its victim organizations was infiltrated via a backdoor associated with the Iranian nation-state group Oilrig (aka APT34). Even so, Symantec says there's no confirmed connection that indicates Tortoiseshell is actually Oilrig.


"There's no code overlap or shared infrastructures" with other groups, says Jon DiMaggio, a senior threat intelligence analyst with Symantec. "So we put this activity into its own bucket."


Symantec does not tie specific nations to threat groups unless they've been identified by the US government. 


At a time when many nation-state hacking groups have ditched custom tools and malware for legitimate, off-the-shelf IT tools to remain under the radar, Tortoiseshell bucks the trend a bit with a combination of its own custom backdoor plus some legit IT tools such as PowerShell to camouflage its activity. Its Backdoor.S ..

Support the originator by clicking the read the rest link below.