American military veterans on the hunt for a new job are the latest group to be targeted by bold new threat group Tortoiseshell.
The group, which was discovered earlier this month by researchers at Symantec, has been active since July 2018, primarily targeting IT providers in Saudi Arabia with a mix of customized and "common or garden" malware.
New intelligence published yesterday by Cisco Talos reveals that Tortoiseshell has refocused its criminal campaign to strike at targets in the United States. Talos discovered that team Tortoiseshell was behind a malicious website that has been cleverly crafted to resemble a legitimate recruitment site for US military veterans.
Users of the site hxxp://hiremilitaryheroes[.]com were prompted to download an app that in reality was a malware downloader that deployed malware and spyware.
Warren Mercer, technical leader at Cisco Talos, told Infosecurity Magazine that the nature of the attack indicated that Tortoiseshell was hoping to ensnare active military personnel in addition to former servicemen.
"As it seems they were targeting HR/recruitment efforts, it's possible they hoped to attack current military servicemen as well as current veterans."
Talos would not confirm or deny whether reports that Tortoiseshell is based in Iran are correct. However, what is clear is that should Tortoiseshell get its claws into active members of the military, the outcome could be potentially devastating.
Mercer told Infosecurity Magazine: "Depending on the victim they are successful compromising, the level of detail/information they [Tortoiseshell] can obtain is very varied.
"If Tortoiseshell successfully targeted a currently enlisted military professional with access to potentially confidential information, this could become very damaging to the parties involved."
Close attention had been paid to every detail of the malicious website to ensure that it closely mimicked a genuine site in its choice of name, imagery, and the style of language used. However, Mercer said that what might appear to be sophisticated actions by the group were more probably evidence of their dogged resolve.
Commenting on the site's seemingly genuine appearance, Mercer told Infosecurity Magazine: "This isn’t suggestive of a sophisticated actor; it’s more indicative of a determined actor. They want to ensure that they remain as aligned as possible to their fake website, and the text, images, and domain name help with that."
In carrying out this latest attack, Tortoiseshell used the same backdoor method employed against its targets in the Middle East. Perhaps this reliance on the same tactics, techniques, and procedures (TTPs) will be the group's downfall.