Saudi IT vendors targeted by cyber espionage group

Previously undocumented group targeted supply chain firms to steal data from end users

FILE PHOTO: A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration/File Photo
Powered by automated translation

Information technology vendors in Saudi Arabia are being targeted by a previously undocumented cyber espionage group known as Tortoiseshell.

Tortoiseshell is sneaking into the networks of IT service providers through supply chain attacks and its final goal is to steal confidential information from end customers, according to US cybersecurity firm Symantec.

“Nearly 11 organisations are hit by the group, the majority of which are based in Saudi Arabia. In at least two organisations, evidence suggests that the attackers gained domain admin-level access,” said Orla Cox, director of threat intelligence at Symantec.

Supply chain attacks, where criminals damage an organisation by targeting the less-secure elements in the supply network, have been increasing in recent years and were up 78 per cent last year, according to Symantec.

In these attacks, attackers exploit third-party services and software to compromise a final target. They take many forms, including hijacking software updates and injecting malicious code into legitimate software.

Once on a victim computer, Tortoiseshell deploys several information gathering tools and retrieves a range of information about the machine, such as IP configuration, running applications, system information and network connectivity.

In two of the compromised networks, several hundred computers were infected with malware.

“This is an unusually large number of computers to be compromised in a targeted attack. It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them,” added Ms Cox.

Tortoiseshell, whose origin has not been disclosed by Symantec, has been active in the region since July 2018 and its most recent activity was documented in July this year.

IT providers are usually an ideal target for attackers given their high level of access to their clients’ computers.

“This access may give them (attackers) the ability to send malicious software updates to target machines and may even provide them with remote access to customer machines,” said Symantec in its blog revealing the new spying group on Wednesday.

In March, Symantec identified another cyber espionage group, Elfin, that was targeting organisations across a diverse range of sectors in Saudi Arabia. It accounted for 41 per cent of attacks on Saudi Arabia detected since 2016.

Cyber security is a significant concern for Arabian Gulf countries and a growing consideration in their defence budgets.

The danger of cyber attacks has been highlighted by several high-profile incidents in the region. The Shamoon virus that first appeared in Saudi Arabia in 2012 crippled 35,000 computers at Saudi Aramco, the world’s biggest oil-producing company.

In the first half of 2018, the UAE experienced a huge data breach when ride-hailing firm Careem admitted 14 million of its customers had their data stolen.

Last December, Shamoon 3 — a data-wiping malware — hit the oil and gas sector. It attacked Saipem, an Italian contractor working for Aramco and several other oil majors in the region.