Symantec has identified a previously unknown attack group that targeted IT providers as an early stage of a supply chain attack operation. Researchers found the group had targeted 11 IT providers, mostly in Saudi Arabia, over the past year.
With heightened geo-political tensions in the Middle East and growing cyberattack capabilities for a number of nation-states in the region, it would be appealing to link TortoiseShell to a specific nation-state or attack group. However, Symantec does not believe Tortoiseshell has ties to previously identified nation-state espionage campaigns or existing cybercrime operations.
"We currently have no evidence that would allow us to attribute Tortoiseshell's activity to any existing known group or nation state," Symantec researchers wrote in their threat report.
Symantec said the fact that IT providers were targeted suggest this was an early stage in a supply-chain attack. Researchers were unable to determine whether Tortoiseshell’s plans involved compromising as many of the IT providers’ customers as possible or if the group was looking for ways to compromise one or few specific organizations. Compromising the IT provider would have likely given the group elevated privileges onto customer networks, specifically because of the nature of the services they offer. Attacks against third-party suppliers are classic supply chain attacks as organizations generally do not scrutinize activity from the suppliers as closely.
IT providers are an ideal target for attackers given their high level of access to their clients' computers,” Symantec said. “This access may give them the ability to send malicious software updates to target machines, and may even provide them with remote access to customer machines.
There are many ways attackers can use the compromised providers on their way to the final target, including hijacking a company’s software update mechanism and distributing modified software updates. NotPetya was such a case, where the attackers compromised a software application’s update mechanism to offer an update package that had been tampered with. Earlier this year attackers compromised computer maker Asus’s update utility and distributed malicious updates to over 1 million users around the world...as part of a highly-targeted operation against several hundred victims.
In at least one case, researchers found that hundreds of computers were infected with malware, indicating the group may have struggled to find the important devices it was interested in and cycled through many different machines first.
This is an unusually large number of computers to be compromised in a targeted attack," Symantec said. “It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them.
Supply chain attacks have been increasing in recent years, with Symantec estimating a 78 percent jump in the number of supply chain attacks in 2018.
Enterprise defenders have to sift through a large volume of information about existing threats and try to determine which of those attacks are more likely to impact their organization. Threat modeling requires thinking about the industry, the kind of assets the organization has, and what may be considered valuable. Supply chain attacks complicate the threat modeling exercise further, as the attack vector may be coming from a trusted partner. Or in the case of the suppliers, they may not be targeted because of any special technology or piece of information they may have, but just because they have a particular customer that may be of interest to someone else.
In the case of Tortoiseshell, the group used a combination of custom and off-the-shelf in its attacks, suggesting the group is interested in using whatever tool is available to carry out its goals. If nothing exists, then the group would resort to making custom tools. Organizations can sometimes get bogged down looking in their networks for indicators of compromise associated with sophisticated nation-state linked groups. But organizations have to also make sure they are scanning for and blocking, well-known and readily available malware on their networks.
The initial infection vector remains a mystery, although researchers found a compromised web shell. For at least one victim, the first indication of malware on their network was a web shell," according to Symantec's threat report on Tortoiseshell, published today. "This indicates that the attackers likely compromised a web server, and then used this to deploy malware onto the network.
In at least two of the attacks, the attackers gained domain administrator-level access and used the heightened privileges to deploy known information gathering tools onto the domain controller’s Netlogon directory. This gave attackers access to all machines on the network and the ability to harvest all manner of device and user information whenever the user logged into the network.
Tortoiseshell has been active since at least July 2018 and its most recent activity was in July of this year. In the most recent attack, Tortoiseshell used custom backdoor malware to collect device information such as the IP address, operating system version, and the hostname of the computer on the network. The backdoor then launched other readily-available information stealing malware to harvest user data.
Some of the IT providers had been previously targeted by other groups, as researchers found evidence in their networks of tools typically used by other nation-state backed groups. The presence of other groups should not be considered evidence linking Tortoiseshell to these groups, but that attack groups are intensely interested in the Middle East for various geopolitical reasons.