Posted on September 19, 2019 at 4:51 AM
Hacking Association Targets IT Firms in Effort to Gain Access to Customer Networks
A recent hacking method is reportedly looking to harm companies that provide IT services with malware. The thought around the industry is that it is the initial stage of supply chain attacks looking to compromise organizations at that level.
The hacking group behind the attack is called Tortoiseshell, and its modus operandi includes using a combination of several types of malware, notably custom and off-the-shelf. For now, there are no indications that the association is linked with a particular nation-state or any espionage project.
Cybersecurity specialists at known company Symantec were the ones that revealed the details about the campaign, as there was no information available before the company mentioned it.
Since July 2018
According to the reports, the group has been up and running since July 2018 at the very least. During its time inactivity, it has targeted a minimum of 11 IT providing firms, per the researching group, with the majority of them being in Saudi Arabia.
According to the evidence available at the time, the hackers could obtain access to the domain admin level to a couple of companies, allowing them to access machines and devices on that network.
The investigators found out a disturbing development: in two of the events, hundreds of devices were affected by the malware in question, which indicates that the cybercriminals were looking to infect the highest possible number of machines in all the corporations as they sought to spot key targets.
Tortoiseshell’s latest strike was just a few weeks ago, on July 2019, when it was registered that the group’s activity had spotted Backdoor.Syskit, a unique custom payload.
The malware’s modus operandi is to open a backdoor in the breached devices, which will let hackers gather data such as OS version, IP number, and the name of the specific computer, among other details. The malware is built in Delphi and .NET.
The Syskit threat has the ability to download and run other resources and commands. The attacks perpetrated by Tortoiseshell can make use of information that is easily obtainable. It wants to collect user data, patterns, behavior, and activity.
A Compromised Web Server May be Behind The Attack
The way that the malware is being reproduced and/or delivered is still not clear, but investigators are speculating with the fact that a compromised web server may be behind its reproduction and distribution.
Taking into account that the initial sign of a malware infection on the network was a breached web shell, the mentioned scenario may be a feasible explanation.
According to Gavin O’Gorman, using an obsolete or rudimentary exploit to compromise a specific web server can usually be a better strategy than e-mail, for example, as sending phishing emails requires the attacker to have at least some level of knowledge of the person receiving the message, with customization in mind.
Since the attack shifts its focus to IT firms, the investigators and specialists think that it could represent the initial phase of a supply chain offense and that cybercriminals are looking to breach those enterprises supplying the IT as a platform to access clients’ networks and databases.
Distribution of Software With Malicious Code
Hackers that perform supply chain attacks often implement several methods to achieve their goal, such as the distribution of software improvements with dubious code. And since IT firms have so much access to customer networks, they are seen as prime targets by cybercriminals.
The level of interest that hackers have in these IT companies is quite high. Symantec concluded that lots of them have been targeted in the past with leaked resources linked to APT 34 (referred to as Oilrig and Helix Kitten, as well,) which is a hacking proceeding usually associated with Iranian authorities.
In this case, however, no link with Tortoiseshell is believed to exist, at least judging by the evidence found by Symantec. However, the supply chain attack is a sign that some associations may be interested in the Middle East and specifically in Saudi Arabia.