A previously undocumented attack group with advanced hacking skills has compromised 11 IT service providers, most likely with the end goal of gaining access to their customers' networks, researchers from security firm Symantec said on Wednesday.

The group, dubbed Tortoiseshell, has been active since at least July 2018 and has struck as recently as July of this year, researchers with the Symantec Attack Investigation Team said in a post. In a testament to Tortoiseshell’s skill, the new group used both custom and off-the-shelf hacking tools. At least two of the 11 compromises successfully gained domain admin level access to the IT providers’ networks, a feat that gave the group control over all connected machines.

Tortoiseshell's planning and implementation of the attacks was also notable. By definition, a supply chain attack is hacking that compromises trusted software, hardware, or services used by targets of interest. These types of attacks require more coordination and work. Taken together, the elements suggest that Tortoiseshell is likely a skilled group.

“The most advanced part of this campaign is the planning and the implementation of the attacks themselves,” a member of Symantec’s research team wrote in an email. “The attacker had to have multiple objectives achieved in an operational fashion in order to compromise the true targets which would have relationships with the IT provider.”

The researcher continued: “The use of custom, unique malware developed for an advanced campaign such as this shows the attacker has resources and capabilities that most low to mid level adversaries simply do not have. Putting all these pieces together built a bigger picture, which matched the profile of an advanced well-resourced attacker.”

Blown cover

The campaign, which primarily infected IT providers in Saudi Arabia, was by no means perfect. A custom backdoor used by Tortoiseshell had a “kill me” command that allowed attackers to uninstall the malware and remove all traces of infection. The presence of this feature suggested that stealth was a key objective in the campaign. But two of the compromised networks had several hundred connected computers infected with malware. The unusually large number was likely the result of the attackers having to infect many machines before finding the ones of interest. Whatever the cause, the large number of infections made it easier to detect the campaign.

“Compromising hundreds of hosts in this type of attack takes away from the impressiveness of the campaign,” the Symantec researcher wrote in the email. “Specifically, having a smaller attack footprint (smaller number of infected hosts), the less likely defenders are to identify and mitigate the threat. So by having to infect many hosts, the attacker put themselves at a disadvantage and increased their risk of being caught.”

One unexplained piece of the puzzle was the installation of a malicious tool, dubbed Poison Frog, about a month before the Tortoiseshell tools were deployed. Several security providers have linked Poison Frog to an Iranian-government sponsored attack group known as APT34, or alternately OilRig. In April, an unknown person or group started publishing secret data, tools, and alleged member identities belonging to OilRig.

In early 2018, OilRig also experienced a hostile take-over of its servers by Turla, another attack group that multiple researchers over the years have linked to the Russian government. Wednesday’s report from Symantec said it’s not clear if the same person installed both Poison Frog and the Tortoiseshell tools. Given the gap of time between the infections, the researchers are assumin they’re unrelated, but without more evidence, there’s no way to be sure.

Symantec has yet to figure out how Tortoiseshell infected the 11 networks. A Web shell—which is a script that’s uploaded to a Web server to provide remote administration of the machine—was the first indication of infection for one of the targets. Its presence suggests that Tortoiseshell members likely compromised a Web server and then used this to deploy malware onto the network.

Wednesday’s report contains IP addresses of Tortoiseshell control servers and cryptographic hashes of the software that the group used. Security people can use these indicators of compromise to tell if networks they defend have experienced the same infections.