Why Tortoiseshell is targeting IT providers in Saudi Arabia

As Symantec reveals new hacking group Tortoiseshell compromised a dozen organisations in a string of attacks lasting from July 2018 to July 2019, we ask why target Saudi Arabia?

For more than a year, a previously undocumented attack group has been using a combination of custom and off-the-shelf malware tools to launch cyber attacks on IT providers in the Middle East.

According to security researchers at US-based software firm Symantec, cyber criminals from a group dubbed Tortoiseshell compromised a dozen organisations in a string of attacks lasting from July 2018 to July 2019. It's believed that the majority of these attacks took place in Saudi Arabia.

The attacks were a huge success for the group. Two victims saw several hundred computers infected with malware. Symantec calls this unusual, saying it suggests that the "attackers may have been forced to infect numerous machines in order to infiltrate ones of interest to them". And at least two other organisations saw attackers gain domain admin-level access to their systems.

"Tortoiseshell is a previously undocumented attack group that has not been published about before. They have been active since at least July 2018, and Symantec has identified a total of 11 organisations hit by the group," says Orla Cox, director of security response at Symantec.


Lucrative targets

But why is Tortoiseshell focusing on IT providers? Cox believes that this group is attacking them to gain access to their customers, although its exact intentions are unknown. She says: "They are targeting IT providers in Saudi Arabia in what are probable supply chain attacks, with the end goal of compromising the IT providers' customers.

"We have seen activity from this group as recently as July 2019. The customer profiles of the targeted IT companies are unknown, but Tortoiseshell is not the first group to target organisations in the Middle East, as we have covered in previous blogs."

She points out that IT providers are an ideal target for attackers because they have high-level access to their client's computers. "This access may give them the ability to send malicious software updates to target machines, and may even provide them with remote access to customer machines," says Cox.

"This provides access to the victims' networks without having to compromise the networks themselves, which might not be possible if the intended victims have strong security infrastructure, and also reduces the risk of the attack being discovered. The targeting of a third-party service provider also makes it harder to pinpoint who the attackers' true intended targets were."




How they work

Symantec found that Tortoiseshell used a "unique component" called Backdoor.Syskit to gain backdoor access to systems. The group also leveraged a range of public tools in its attacks, such as Infostealer/Sha.exe/Sha432.exe, Infostealer/stereoversioncontrol.exe and get-logon-history.ps1.

"The initial infection vector used by Tortoiseshell to get onto infected machines has not been confirmed, but it is possible that, in one instance, a web server was compromised to gain access by the attacker," explains Cox. "For at least one victim, the first indication of malware on their network was a web shell. This indicates that the attackers likely compromised a web server, and then used this to deploy malware onto the network."

She explains that by using Backdoor.Syskit, the attackers could download and execute additional tools and commands. Cox adds: "The actors behind it have developed it in both Delphi and .NET. Tortoiseshell also uses off-the-shelf malware in its attacks, as well as dumping tools and PowerShell backdoors."

When asked if the targets had anything in common, Cox explains that the IT companies are primarily based in Saudi Arabia. But she admits: "We have no further insight into their customer profiles. We also don't have any further insight into how they were affected by these attacks."

That said, Symantec's research has revealed some interesting findings. Earlier, we explained that Tortoiseshell had infected several hundred computers at two target companies. Cox says this is an "unusually large number of computers to be compromised in a targeted attack" as the attackers may have "been forced to infect many machines before finding those that were of most interest to them".

The attackers also gained domain admin access to several organisations, meaning they could have accessed all computers in the network. Cox tells IDG Connect: "In these organisations the attackers used their domain admin access to automatically execute information-gathering tools on all client computers when they logged into the network."

In another attack, the researchers identified a tool called Poison Frog. Cox says: "Poison Frog is associated with another group called Oilrig and is therefore likely unrelated to the Tortoiseshell activity. However, it demonstrates how at least one victim was of interest to multiple attack groups."


Mitigating such attacks

These attacks come at a time of increased political tension in the Middle East. Dave Klein, senior director of engineering at Guardicore Labs, believes that Tortoiseshell is an Iranian APT attack attempting to thwart Saudi oil production. 

Klein says this comes down to two reasons. "First, just a few days ago a proxy/direct attack via drones crippled physical infrastructure. Second, custom and living off the land is very APTish and especially Iranian APTish. They are afraid of existing kits having infiltration capabilities that could be used against them."

This, according to Klein, means that protecting critical infrastructure is essential. He continues: "Oil production is the economic lifeblood of Saudi Arabia with any interruption causing political and economic instability. On the protection side, it may sound like a broken record with a twist.

"The message is ‘Hygiene, visibility and segmentation'. The twist? I sense there is a need for the Saudi oil industry to adopt government-like Sensitive Compartmented Information Facility (SCIF) techniques; air gapped networks, locked-down, secure, physical IT facilities with zero acceptance of removable media like USB sticks etc.."

Ariel Hochstadt, a cyber security expert and co-founder of vpnMentor, urges organisations to add as many security measures as possible in order to thwart these threats. He says: "What is at hand here is an exploit, which means that there's a control server (two IPs mentioned in Symantec's report) which had at least some remote control on the internal systems mentioned.

"In simple terms, the attackers somehow infected the system (most likely via email attachments that someone clicked on, which then installed malware). According to the report, the malware could gain admin permissions on several stations and could then search the network for more interesting components."

He takes the view that these attacks could easily have been avoided. Hochstadt adds: "If there had been more monitoring and restriction, both on the access point of the malware (email attachment access rules and blocking of execution, email spam filtering, education of workers on phishing emails; cleaning of USBs, wireless check, etc.) and monitoring of the network behavior for unusual traffic (which the malware generates), this issue could have been mitigated."

Cyber attacks leveraging backdoor access tools are far from new. They've become a preferred attack method for cyber criminals in recent times. What's clear is that organisations need to bolster their security strategies in order to identify and respond to attacks before they cause damage.