'Tortoiseshell' group targets IT companies through supply -chain attacks

'Tortoiseshell', a previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers; BlackHat survey quantifies third-party threat

The supply chain continues to be an easy cyber-attack points within global corporations. The latest target group is IT service providers in Saudi Arabia, found researchers at Symantec. A survey of BlackHat attendees also quantify third party threats.

"A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appears to be supply chain attacks with the end goal of compromising the IT providers’ customers," said the Symantec report on the Tortoiseshell threat.

"The group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organisations hit by the group, the majority of which are based in Saudi Arabia. In at least two organisations, evidence suggests that the attackers gained domain admin-level access," the report explained.

The researchers have traced Tortoiseshell activity since July 2018. They found that several hundred computers were infected with malware in its targeted attacks. "This is an unusually large number of computers to be compromised in a targeted attack. It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them," the report noted.

Though the entry point for the attacks was unclear, the report assesses it to be a compromised web server in the supply chain. Once they gain access to a computer in the network, Tortoiseshell plants many information-gathering tools to harvest details about the machine, such as IP configuration, running applications, system information, network connectivity etc.

"On at least two victim networks, Tortoiseshell deployed its information-gathering tools to the Netlogon folder on a domain controller. This results in the information gathering tools being executed automatically when a client computer logs into the domain. This activity indicates the attackers had achieved domain admin level access on these networks, meaning they had access to all machines on the network," the report said.

The supply chain provides hackers access to the target company’s networks without having to compromise the victim’s network, reducing the risk of being discovered. Even if the third party’s alarms are triggered, it is difficult to deduce the intended target.

The Tortoiseshell attacks are similar to the initial attack vectors of Stuxnet, Synopsys senior security strategist Jonathan Knudsen pointed out.

"Supplier companies were initially infected with Stuxnet. Supplier employees then hand-carried the infection inside the air-gapped target network via laptops or USB drives," he said.

"Intruders have figured out that it may be easier to outflank a target by attacking its vendors, rather than failing with a frontal assault against the target itself. This reality makes it imperative for managed service providers (MSPs) to monitor network access to not only their corporate assets, but access from the MSP to their customers," said Richard Bejtlich, principal security strategist at Corelight.

Researchers and authorities have been regularly alerting companies about the risks posed by third parties and supply channels. 

The UK’s Financial Conduct Authority (FCA) has recorded 819 cyber-crime incidents in 2018, of which 21 percent was caused by third-party failures. "Understand the connectivity between and dependency on partners. Adopting the view that you only need to be concerned with suppliers limits the ability to think wider about third party risk," the FCA said in its report ‘Cyber security - industry insights’ in March 2019.

Companies too are aware of the rising risk. According to a survey conducted by Gurucul among 476 IT professionals at Black Hat 2019 in August, 74 percent of companies are either planning or taking steps to mitigate security risks posed by third party vendors. Managed Service Providers (MSPs) showed the biggest concern on third-party risks amongst IT security professionals, ahead of systems integrators and developers.

"The fact that companies are having to take proactive steps against what should be a trusted partner is extremely concerning and, with breaches showing no sign of slowing down, it further highlights the dangers they pose for organisations," said Nilesh Dherange, CTO, Gurucul.

There are two vital strategies for securing the supply chain, said Sam Curry, chief security officer at Cybereason.

"The first category involves transparency and working together outside the company: going on-site, reviewing without policies, monitoring practices, sharing intelligence, improving together and doing so without bayoneting the wounded in a spirit of trust," he said. 

"The second is an older and more traditional technique: inspect suppliers and put controls in place without allowing anyone to come from a position of privilege that bypasses controls. Trust-but-verify should apply externally to strangers, to partners and to insiders equally; and if this is onerous, the challenge is on security to innovate and remove friction from security controls and processes, not to remove the controls themselves," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews