SYMBOLCOMMON_NAMEaka. SYNONYMS

Tortoiseshell  (Back to overview)

aka: IMPERIAL KITTEN

A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. The group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.


Associated Families
win.liderc win.syskit

References
2022-03-30Recorded FutureInsikt Group
@techreport{group:20220330:social:e36c4e5, author = {Insikt Group}, title = {{Social Engineering Remains Key Tradecraft for Iranian APTs}}, date = {2022-03-30}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf}, language = {English}, urldate = {2022-04-05} } Social Engineering Remains Key Tradecraft for Iranian APTs
Liderc pupy
2021-07-28ProofpointJoshua Miller, Michael Raggi, Crista Giering
@online{miller:20210728:i:23e9aad, author = {Joshua Miller and Michael Raggi and Crista Giering}, title = {{I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona}}, date = {2021-07-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media}, language = {English}, urldate = {2021-07-29} } I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona
Liderc SysKit
2021-07-15FacebookMike Dvilyanski, David Agranovich
@online{dvilyanski:20210715:taking:10d945f, author = {Mike Dvilyanski and David Agranovich}, title = {{Taking Action Against Hackers in Iran}}, date = {2021-07-15}, organization = {Facebook}, url = {https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/}, language = {English}, urldate = {2021-07-20} } Taking Action Against Hackers in Iran
Liderc SysKit
2019-09-25Twitter (@QW5kcmV3)Andrew Thompson
@online{thompson:20190925:apt35:b6b82f0, author = {Andrew Thompson}, title = {{Tweet on APT35 activity}}, date = {2019-09-25}, organization = {Twitter (@QW5kcmV3)}, url = {https://twitter.com/QW5kcmV3/status/1176861114535165952}, language = {English}, urldate = {2020-01-08} } Tweet on APT35 activity
SysKit
2019-09-24DARKReadingKelly Jackson Higgins
@online{higgins:20190924:iranian:4966d90, author = {Kelly Jackson Higgins}, title = {{Iranian Government Hackers Target US Veterans}}, date = {2019-09-24}, organization = {DARKReading}, url = {https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897}, language = {English}, urldate = {2020-03-22} } Iranian Government Hackers Target US Veterans
SysKit Tortoiseshell
2019-09-24Cisco TalosWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20190924:how:ac2b53e, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{How Tortoiseshell created a fake veteran hiring website to host malware}}, date = {2019-09-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html}, language = {English}, urldate = {2019-12-02} } How Tortoiseshell created a fake veteran hiring website to host malware
Liderc SysKit
2019-09-18SymantecSecurity Response Attack Investigation Team
@online{team:20190918:tortoiseshell:4881fc1, author = {Security Response Attack Investigation Team}, title = {{Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks}}, date = {2019-09-18}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain}, language = {English}, urldate = {2020-01-13} } Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks
SysKit Tortoiseshell

Credits: MISP Project