 |
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
|
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
APT group: Tortoiseshell, Imperial Kitten| Names | Tortoiseshell (Symantec) Imperial Kitten (CrowdStrike) TA456 (Proofpoint) Curium (Microsoft) Marcella Flores (self given) Houseblend (?) Crimson Sandstorm (Microsoft) | |
| Country |  Iran | |
| Sponsor | State-sponsored | |
| Motivation | Information theft and espionage | |
| First seen | 2018 | |
| Description | (Symantec) A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. The group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access. | |
| Observed | Sectors: Defense, IT, Shipping and Logistics, Maritime and Shipbuilding. Countries: Saudi Arabia, UAE, USA and Middle East. | |
| Tools used | get-logon-history.ps1, Infostealer, LEMPO, liderc, SysKit. | |
| Operations performed | Sep 2019 | Cisco Talos recently discovered a threat actor attempting to take advantage of Americans who may be seeking a job, especially military veterans. <https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html> |
| Nov 2020 | I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona <https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media> | |
| May 2023 | Operation “Fata Morgana” Fata Morgana: Watering hole attack on shipping and logistics websites <https://www.clearskysec.com/wp-content/uploads/2023/05/Fata-Morgana-Israeli-Websites-Infected-by-Iranian-Group-1.8.pdf> | |
| Counter operations | Jul 2021 | Taking Action Against Hackers in Iran <https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/> |
| Information | <https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain> | |
Last change to this card: 21 June 2023
Download this actor card in PDF or JSON format
Previous: Tortilla
Next: Tracer Kitten
|
Digital Service Security Center Follow us on
|
Report incidents |
|
 |
+66 (0)2-123-1227 | |
 |
[email protected] | |