A persistent group of hackers has been hitting Saudi IT providers, Symantec says

The findings come at a time of heightened tension in the Persian Gulf.
Riyadh, Saudi Arabia
Riyadh, Saudi Arabia at night. The country's National Cybersecurity Authority has warned of a new destructive malware variant (CC0 Creative Commons).

Over the last 14 months, a determined group of hackers has breached IT companies in Saudi Arabia in a likely attempt to gain access to their customers, security researchers said Wednesday.

The group, dubbed Tortoiseshell, has struck at least 11 organizations, most of them in Saudi Arabia, since July 2018 and was active as recently as July 2019, according to cybersecurity company Symantec.

Targeting Saudi IT providers and collecting data on their networks makes perfect sense for anyone looking for persistent access to those suppliers’ clients. Symantec did not speculate on which organizations the attackers have been targeting further upstream in the supply chain. Nor would the researchers describe the nature of the IT services the hacked organizations provide.

Jon DiMaggio, senior threat intelligence analyst for Symantec Security Response, said the IT providers have a “large presence in Saudi Arabia” and have lots of customers. The IT providers “have that trust relationship with these customers,” DiMaggio told CyberScoop. “You can take advantage of Point A in order to compromise Point B, C, and D.”


In two cases, the attackers infected several hundred computers on the victimized networks, possibly casting about before finding the data they wanted. The hackers are collecting a range of data on the compromised machines, including IP addresses and network connectivity, Symantec said.

The researchers said they don’t have enough information to attribute the activity to a known group or government. However, Adam Meyers, CrowdStrike’s vice president of intelligence, said his firm believes the hackers described by Symantec appear to be operating in support of Iran’s Islamic Revolutionary Guard Corps and have been active since at least 2017, and as recently as this month.

The group, which CrowdStrike calls Imperial Kitten, “has engaged in intrusions against maritime, IT services, military veterans, and defense-related targets located in Saudi Arabia, the United Arab Emirates, and possible Western targets,” Meyers told CyberScoop. The hackers are using job ads, social media and IT service customers to gain access to their targets, he added.

The findings come at a time of heightened tension in the Persian Gulf. On Saturday, drone strikes damaged two facilities that account for roughly half of oil production capacity in Saudi Arabia. Although Houthi rebels in Yemen claimed responsibility for the attack, President Donald Trump said it looked like the Iranian government was responsible, a charge Tehran denies.

Cybersecurity experts have warned that with the escalation of tensions in the Gulf comes a risk of greater malicious cyber-activity. Both Saudi Arabia and Iran have seen aggressive hacking operations on their soil in the last decade. In 2009, Stuxnet, malware reportedly developed by the U.S. and Israel, breached a nuclear enrichment facility in Iran, destroying some 1,000 centrifuges. In Saudi Arabia in 2012, the Shamoon malware, which analysts have attributed to Iranian hackers, partially wiped or destroyed tens of thousands of computers at oil giant Saudi Aramco. More recently, in 2017, the Trisis malware caused a Saudi petrochemical plant to shut down.


As cyber-sleuths try to anticipate Tortoiseshell’s next move, they could study the group’s pursuit for quiet and expansive access to a target. For at least two of the victims tracked by Symantec, the hackers appear to have gained “domain admin” access, or a foothold into every machine on the network. That allows the hackers to be stealthier.

“You can reach out and you can sort of touch all those other systems without having to get a user to, say, click on a spearphishing email,” DiMaggio said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts