Tortoiseshell, Imperial Kitten

Description

(Symantec) A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers.

The group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.

Overlap has been found with Magic Hound’s Subgroup: TA455, Smoke Sandstorm.

Names

Name	Name-Giver
Tortoiseshell	Symantec
Imperial Kitten	CrowdStrike
TA456	Proofpoint
Curium	Microsoft
Marcella Flores	self given
Houseblend	?
Crimson Sandstorm	Microsoft
Cuboid Sandstorm	Microsoft
Yellow Liderc	PWC
Devious Serpens	Palo Alto
Cobalt Fireside	SecureWorks

Country

• Iran

Sponsor

State-sponsored, Islamic Revolutionary Guard Corps (IRGC)

Motivation

• Information theft and espionage

First Seen

2018

Observed Sectors

• Aerospace
• Defense
• IT
• Shipping and Logistics
• Maritime and Shipbuilding

Observed Countries

• Saudi Arabia
• UAE
• USA
• Middle East

Tools

• get-logon-history.ps1
• IMAPLoader
• Infostealer
• LEMPO
• liderc
• SysKit

Operations

• 2019-09: Cisco Talos recently discovered a threat actor attempting to take advantage of Americans who may be seeking a job, especially military veterans. https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html
• 2020-11: I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media
• 2022: Yellow Liderc ships its scripts and delivers IMAPLoader malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
• 2023-05: Operation “Fata Morgana” Fata Morgana: Watering hole attack on shipping and logistics websites https://www.clearskysec.com/wp-content/uploads/2023/05/Fata-Morgana-Israeli-Websites-Infected-by-Iranian-Group-1.8.pdf
• 2023-10: IMPERIAL KITTEN Deploys Novel Malware Families in Middle East-Focused Operations https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/

Counter Operations

• 2021-07: Taking Action Against Hackers in Iran https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/

Information

• https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain
• https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/

Other Information

Uuid

8e5c68c0-c16a-4d8f-8829-14d27ab8cd32

Last Card Change

2025-06-28