New Hacking Group Seen Laying Foundation for Supply Chain Attack

A new hacking group has emerged from the shadows, dubbed Tortoiseshell by researchers, the group has been seen targeting IT companies. The reason behind it, it appears the group is laying the foundation for a supply chain attack. Such attacks can be a nightmare for organizations as they often target less secure elements of the organization, whether it be a third-party supplier or an in house system not properly secured which could grant access to the entire network.

According to a report published by Symantec the new group uses a combination of custom tools and off the shelf malware to conduct its operations. The group has been active since the middle of 2018 and in that time has targeted at least 11 IT providers. Most of the targeted IT providers reside in Saudi Arabia. According to the researchers, it appears that the hacker group aimed to gain domain level access, this would grant the group access to an organization’s entire network. It appears that the group managed to pull this off on two separate occasions.

The group also looks to infect as many computers as possible in order to gain domain level access. The thought process behind this might be that there is a greater chance of finding a computer with such access already granted.

According to Symantec, the most recent activity of the group can be traced back to July of this year. This round of activity the group used a custom malware payload, named Backdoor.Syskit which is defined by Symantec as a piece of backdoor trojan malware which is capable of collecting information such as the IP address, computer name, operating system version, and the MAC address. The malware is coded in both Delphi and .NET and is specifically designed to open an initial backdoor into a targeted computer. The trojan can them be utilized to download and execute new tools or commands. It has been seen in the past that Tortoiseshell can also deploy several publicly available tools as information stealers to gather data on user activity.

tortoiseshell supply chain attack

How exactly the malware is delivered is not known but researchers believe that it could potentially be distributed via a compromised web server. This assumption is based on the fact that the first discovered instance of Backdoor.Syskit was via a compromised web shell. This can be a simpler approach to a spear-phishing email as by compromising a web shell you don’t have to craft an email to convince and user to download a malicious file. To do that successfully you would require a certain amount of knowledge about the organization the person receiving the malicious mail.

Why IT companies?

Researchers believe that the reason IT companies have been targeted by Tortoiseshell is that these are the first steps to a supply chain attack which will later be used to infect the companies clients. Given that often IT companies have high levels of access to client’s networks it would seem an obvious choice to target them first in such an attack. Often when attacks occur in the Middle-East the specter of political interference seems to always be suggested. While Tortoiseshell makes use of tools previously known to be used by an APT group linked to the Iranian government, it is believed that Tortoiseshell is looking to privately profit from cyberattacks. Rather than been linked to any state-sponsored cyberespionage groups, Tortoiseshells activity just represents a wider interest many hacking groups have in the region.

It was mentioned that these attacks to be the first stages of a supply chain attack, but what exactly is this method of attack. Supply chain attacks can be defined as an instance where an attacker infiltrates an outside partner in order to infiltrate the primary target. Service providers, like IT companies and managed security companies, have privileged access to client networks this makes them a prime target for groups looking to steal data from major companies.

One of the more well-known supply chain attacks, or at least it was large enough to draw public attention, was the incident involving Target where the lax security of a heating and air conditioning vendor resulted in the breach to Target’s main network. The breach enabled the attacker to gain access to information for over 40 million credit and debit cards as well as personal information of a further 70 million customers. Another, now infamous example concerns the Equifax breach which was also blamed on a supply chain attack.

With regards to IT companies, Symantec concluded that,

“IT providers are an ideal target for attackers given their high level of access to their clients’ computers. This access may give them the ability to send malicious software updates to target machines, and may even provide them with remote access to customer machines. This provides access to the victims’ networks without having to compromise the networks themselves, which might not be possible if the intended victims have strong security infrastructure, and also reduces the risk of the attack being discovered. The targeting of a third-party service provider also makes it harder to pinpoint who the attackers’ true intended targets were.”

Organizations and businesses which employ the third party IT specialists are advised to conduct their due diligence on the third party’s cybersecurity policy and how that policy is implemented. It is not just IT companies that require careful consideration. As the Target breach proves even the smallest of third-party vendors can open up an avenue which could result in a massive data breach.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal