← All Threat Actors
Threat Actor Profile

Tortoiseshell

Crimson Sandstorm Cuboid Sandstorm CURIUM DUSTYCAVE IMPERIAL KITTEN Smoke Sandstorm TA456 Yellow Liderc
▲ High Threat
A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. The group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.
Origin Iran
Sponsor Iran (Islamic Republic of)
Motivation Espionage

Target Sectors

Defense Government Military Finance Energy Healthcare Pharmaceuticals Telecoms High-Tech Media NGOs Civil Society Legal Rail Transportation

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD