A coordinated electronic spying campaign has hit IT providers in Saudi Arabia

Symantec, the US software company, unveiled a coordinated and targeted electronic spy campaign targeting the networks of several major IT providers in Saudi Arabia last year as a springboard for final targets for attackers in the region.

Symantec researchers say the attackers appear to have been operating since July 2018, and they appear to be a previously unknown threat group, which Symantec called Tortoiseshell.

Kelly Jackson Higgins, executive editor of Dark Reading.com, said in an article that Symantec released yesterday that the attackers infiltrated at least 11 organizations, mostly in Saudi Arabia, including major IT providers, using ready-made tools. In addition to its own malware for custom attacks.

Access to all devices
She noted that in two of the organizations they attacked, the attackers had access to administrative access at the domain level, so that they had access to all the devices on those networks.

Higgins quoted Symantec researchers as saying that Tortoiseshell does not appear to be associated with any groups in the Middle East, but one of the institutions whose victims were infiltrated through a back door linked to the Iranian state group O'Learg, also known as AKA (APT34). However, Symantec says there is no definite correlation to suggest that Tortoiseshell is actually Oilrig.

Symantec's chief threat intelligence analyst, John Demaggio, denied there was any overlap of code or code or shared infrastructure with other groups, saying that was why they considered it unrelated to Iran, but Higgins says Symantec usually does not link certain countries and groups. Threat unless it is determined by the US government.

A striking development
Higgins said that in one remarkable development because it is unusual in most of the targeted attacks, two of the victim networks suffered from the injury of several hundred devices. Demaggio described this as disturbing in a targeted attack, explaining that the attackers may have found it difficult to reach the device they are already targeting, so they hit a large number of devices.

Symantec's report included that the attackers stole the details of the target device, including Internet Protocol (IP) settings, applications, system information and network connections.

Iran is likely to continue expanding its cyber-espionage and other piracy operations even after the recent economic sanctions imposed by the United States, Higgins cited the director of cyber security research at Threatstop, John Bambink.

The most popular medium
Attacks against the supply chain over the past few years have become a more popular and effective way for States to reach their targeted victims. The number of such attacks jumped 78 percent in 2018 from a year earlier, according to Symantec data.

Symantec reports that IT providers are ideal targets for attackers because of their high level of access to their customers' computers. This access capability may provide an opportunity for attackers to send malware updates to targeted devices, and may provide remote access to client devices.

Head of security engineering at Panoris Giora Omar says Tortoiseshell's breakthroughs explain why IT service providers are a traditional target of third-party attacks. They have administrative access to many customers, many of whom lack basic security controls.

The maturity of the Iranian spy machine
Tortoiseshell's method of attacking the supply chain is another example of how Iran's cyber-espionage machine has matured. Benjamin Reid, chief fire spy analysis director at Benjamin Reid, was quoted as saying they generally steal data in large quantities and then process it.

Meanwhile, a new RAND report today on cyberattacks against countries found Iran to be less used than Russia and North Korea, but focused on retaliation.