ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Tortoiseshell, Imperial Kitten

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Tortoiseshell, Imperial Kitten

NamesTortoiseshell (Symantec)
Imperial Kitten (CrowdStrike)
TA456 (Proofpoint)
Curium (Microsoft)
Marcella Flores (self given)
Houseblend (?)
Crimson Sandstorm (Microsoft)
Yellow Liderc (PWC)
UNC1549 (Mandiant)
CountryIran Iran
SponsorState-sponsored, Islamic Revolutionary Guard Corps (IRGC)
MotivationInformation theft and espionage
First seen2018
Description(Symantec) A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers.

The group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.
ObservedSectors: Aerospace, Defense, IT, Shipping and Logistics, Maritime and Shipbuilding.
Countries: Saudi Arabia, UAE, USA and Middle East.
Tools usedget-logon-history.ps1, IMAPLoader, Infostealer, LEMPO, liderc, SysKit.
Operations performedSep 2019Cisco Talos recently discovered a threat actor attempting to take advantage of Americans who may be seeking a job, especially military veterans.
<https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html>
Nov 2020I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona
<https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media>
2022Yellow Liderc ships its scripts and delivers IMAPLoader malware
<https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html>
Jun 2022When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors
<https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east>
May 2023Operation “Fata Morgana”
Fata Morgana: Watering hole attack on shipping and logistics websites
<https://www.clearskysec.com/wp-content/uploads/2023/05/Fata-Morgana-Israeli-Websites-Infected-by-Iranian-Group-1.8.pdf>
Oct 2023IMPERIAL KITTEN Deploys Novel Malware Families in Middle East-Focused Operations
<https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/>
Counter operationsJul 2021Taking Action Against Hackers in Iran
<https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/>
Information<https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain>
<https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/>

Last change to this card: 07 March 2024

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]