According to a recent report, there is a new hacking group out there with rather advanced skills, which managed to compromise as many as 11 IT service providers. The group was reported by security researchers working at Symantec, whose theory is that the hackers’ end-goal might be to gain access to the IT providers’ customers.
The new hacking group emerges
Online security researchers have named the new group Tortoiseshell, and they estimate that the group has been active for a little over a year, starting with their activities in July 2018, possibly even earlier. Their latest exploit was believed to be in July 2019, according to the researchers’ report.
The report also states that the hackers appear to be highly-skilled and that they have access to both, custom, as well as off-the-shelf hacking tools. The combination of advanced tools and advanced skills has allowed them to compromise as many as 11 different IT providers, with at least two of the exploits resulting in success at gaining domain admin-level access. This means that they likely managed to gain control over their entire networks, as well as to all of the devices connected to the networks.
Researchers also mentioned that the group’s implementation of the attacks and the very plans they managed to come up with are quite notable. Tortoiseshell used what is called a supply chain attack, which is basically a hacking attack that compromises services, hardware, software, and anything else used by the attackers’ target(s). However, the attacks are extremely difficult to pull off, and they require precision, coordination, and a lot of work. Considering the fact that the group has been doing this for a while without being detected, its members are likely highly-skilled.
A long, messy campaign
Researchers appear to be convinced that the targets of the group are not IT providers themselves, but someone who has a working relationship with them. They also noted that the malware that the attackers were using was unique and likely developed solely for the purpose of this campaign. This also indicates capability and resourcefulness – something that most small groups do not have.
The first targets are believed to be several IT providers from Saudi Arabia, and while the hackers are considered highly-skilled – these initial attacks were far from flawless. Researchers have managed to deduce that the group’s intention was probably to use stealth. This conclusion comes from the fact that their custom backdoor had a ‘kill me’ command, meaning that the malware would uninstall itself and remove any trace of its presence if the command was ever activated.
However, two of these networks had hundreds of connected computers infected with this malware. This indicates that the hackers had to infect as many devices as possible in order to find the one that was their real target. The downside of this approach is that it made the attack quite easy to spot.
Even Symantec’s researchers claim that the approach was far from impressive and professional, and the attackers exposed themselves and risked being caught.
The identity of the attackers
Another unusual detail was the fact that the malicious tool known as Poison Frog appeared around a month before Tortoiseshell started its attack. The tool was originally identified as a tool used by APR34 – a state-sponsored hacking group tied to the Iranian government. The group, also known as OilRig, was targeted earlier this year, in April, when an unknown entity published the members’ identities, tools they were using, and other secret information.
OilRig was also targeted once before, in early 2018, when it suffered a hostile take-over of its servers. This attack was believed to be made by another hacking group known as Turla, which is, in turn, believed to be tied to the Russian government. The new report by Symantec states that it is unclear whether or not it was the same group that was responsible for both, Tortoiseshell tools and Poison Frog, especially since there is a month-long gap between the two infections. For now, the two are treated as two unrelated incidents, at least until additional proof emerges.
Another thing that Symantec does not know at this time is how Tortoiseshell managed to infect 11 different networks. The first hint that there is an infection came in the form of a Web shell – a script that provides remote administration of the machine when uploaded to a server. This indicates that Tortoiseshell attackers used the webserver to gain access to the network and deploy their malware.