Cisco Talos has uncovered an attempt by the Tortoiseshell threat actor to steal data from US military veterans. Details of the attack were revealed in a blog by Warren Mercer and Paul Rascagneres with contributions from Jungsoo An. Tortoiseshell has created a fake website (hxxp://hiremilitaryheroes[.]com) that looks remarkably similar to a US Government owned website (https://www.hiringourheroes.org). The website pretends to link veterans and employers but the only thing it delivers is an app that drops malware and steals data.
According to the researchers: “This new campaign utilizing the malicious hiring website represents a massive shift for Tortiseshell. This particular attack vector has the potential to allow a large swath of people to become victims of this attack. Americans are quick to give back and support the veteran population. Therefore, it’s this website has a high chance of gaining traction on social media where users could share the link in the hopes of supporting veterans.”
Who are Tortoiseshell?
There is little detail on Tortoiseshell from any of the major security companies. One of the first to name it was Symantec. They have blamed Tortoiseshell for an attack against 11 IT providers in Saudi Arabia over the last year. In its analysis of the attack on Saudi Arabia Symantec said: “..it would be appealing to link TortoiseShell to a specific nation-state or attack group..” However, it then concluded: “We currently have no evidence that would allow us to attribute Tortoiseshell’s activity to any existing known group or nation state.”
Cisco Talos has taken the same line. It is blaming Tortoiseshell for this attack based on the TTPs used in both the Saudi Arabia attack and this website. TTPs can be reused by multiple threat actors. They are a quick way to obfuscate who the real attacker is.
One of the issues here is that the two attacks are very different. The types of information targeted and the targets of the attacks are not necessarily related. One linking factor could be that the attackers are looking for military personnel who are shortly leaving the service. These individuals could be logging on from computers attached to a military network. Given the relationship between the US and Saudi Arabia, this would make those networks of interest to attackers in the region.
How does the attack work?
The attack is fairly simple and likely to be effective. There are three stages:
- Get someone to visit the website: This can be done through spam or phishing campaigns. However, Cisco Talos says that it has yet to see an active campaign to spread the details of the site. It will be interesting to see if, in fact, the site is spread through other means. Social media and specific networks for veterans are likely to be very effective.
- Persuade them to download the app and infect the machine: Once the user visits the site they are asked to download the app. The app starts to download and then appears to fail. It then tells the user their security solutions are blocking the app. This is an attempt to get users to turn off anti-virus or mark the app as safe. This allows it to install both its reconnaissance software and IvizTech, a Remote Access Trojan (RAT).
- Exfiltrate data: One piece of malware, named bird.exe, does reconnaissance on the local machine. It grabs a lot of data including information about the network it is connected to and the user account. The information is then exfiltrated through email.
Cisco Talos has only seen the two pieces of malware mentioned above being installed at the moment. However, IvizTech allows an attacker to push and execute additional malware on the local machine.
Enterprise Times: What does this mean
Using apps and malicious websites to attack machines, do reconnaissance and then install RAT malware is nothing new. What is odd here is that a malicious actor should, in such a short period of time, launch two very different attacks. It is possible that the group behind Tortoiseshell is made up of different teams who share the same tools. That would give them different objectives which would go some way to explaining this behaviour.
It is also a surprise that the two major security vendors talking about the attacks, Cisco Talos and Symantec, are not going further in attributing the group to a nation state. In some ways this is refreshing. Attribution is always difficult and, as we’ve seen before especially in Germany, such attribution can be easily flawed. In this case, the difference in the attacks is likely to slow down attribution.
Choosing military veterans as a specific target is new. It is also not without risk. As the Cisco Talos team point out, the willingness of the US public and businesses to help veterans could help this attack spread. At the same time, the US military has a significant and growing cyber response capability. If this attack results in veterans being impacted, it would not be a surprise to see the US Cyber Command intervene in identifying the attackers. One reason being the fact that many veterans still serve in a reservist capacity. This gives them access to US military systems which is a serious threat.
Will this spread outside the US? Quite possibly. The UK has an active jobs market for veterans and a number of charities that focus on getting veterans into jobs. It will be interesting to see if a .co.uk website run by Tortoiseshell appears soon.