Tortoiseshell

Threat Actor updated 5 months ago (2024-05-04T19:17:49.082Z)

Download STIX

Preview STIX

Tortoiseshell is a prominent threat actor associated with multiple Iranian Advanced Persistent Threat (APT) groups, including MASN. It has been linked to a multi-year cyberattack campaign that targeted over a dozen US companies and government entities, including the Department of the Treasury. The campaign was discovered by Google Cloud's Mandiant and appears to be linked to the Iranian threat group UNC1549, also known as Smoke Sandstorm and Tortoiseshell. This group executes spear phishing and watering-hole attacks for credential harvesting and dropping malware. The activity of this group bears similarities to previous operations attributed to Tortoiseshell, which has been linked to Iran's Islamic Revolutionary Guard Corps (IRGC). In addition to targeting US entities, UNC1549, aka Tortoiseshell, has been active in the Middle East, targeting aerospace and defense firms in Israel, the United Arab Emirates, and other countries in the region. The campaigns are typically customized for each targeted organization, demonstrating a high level of sophistication and strategic planning. In 2021, Facebook took action against a group of Iranian cybercriminals dubbed "Tortoiseshell" by threat researchers at Symantec, who found links to Mahak Rayan Afraz. According to Facebook, Tortoiseshell appeared to have outsourced its malware development, a portion of which it attributed to Nasab’s firm, alleged to have ties to Iran’s Revolutionary Guard Corps. This outsourcing of malware development indicates a significant evolution in the group's modus operandi, suggesting an increased level of complexity and potential threat.

Description last updated: 2024-04-24T15:16:43.684Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT35 is a possible alias for Tortoiseshell. APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the	2
Charming Kitten is a possible alias for Tortoiseshell. Charming Kitten, also known as APT42, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is a threat actor linked to Iran that has been involved in various cyberattacks targeting entities in Brazil, Israel, and the U.A.E. using a new backdoor. This group has been implicated in sophisti	2
Imperial Kitten is a possible alias for Tortoiseshell. Imperial Kitten, also known as Tortoiseshell and UNC1549, is a significant threat actor identified by cybersecurity firms CrowdStrike and Mandiant. The group has been associated with various malicious activities, including the distribution of malware through SWC, and the use of IMAPLoader and other	2
Unc1549 is a possible alias for Tortoiseshell. UNC1549, also known as Smoke Sandstorm and Tortoiseshell, is a suspected Iranian threat actor targeting the aerospace and defense sectors in the Middle East, specifically Israel and the United Arab Emirates. The group's activities have been discovered and tracked by Google Cloud’s Mandiant, who have	2
Smoke Sandstorm is a possible alias for Tortoiseshell. Smoke Sandstorm, also known as UNC1549 and Tortoiseshell, is a threat actor believed to be based in Iran. The group was discovered by Google Cloud's Mandiant and has been linked to spear phishing and watering-hole attacks aimed at credential harvesting and malware distribution. Smoke Sandstorm has b	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Iran

Phishing

Apt

Malware

Google

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The threatActor Tortoiseshell Group is associated with Tortoiseshell.	Unspecified	2

Source Document References

Information about the Tortoiseshell Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	6 months ago	US Sanctions Iranian
CERT-EU	7 months ago	Cyber Security Week in Review: March 1, 2024
CERT-EU	8 months ago	US charges Iranian with attacks against defense contractors • The Register \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	8 months ago	Operationalizing NIST CSF 2.0; AI Models Run Amok \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	8 months ago	CISO Corner: Operationalizing NIST CSF 2.0; AI Models Run Amok
CERT-EU	8 months ago	US charges Iranian with attacks against defense contractors
CERT-EU	8 months ago	'Illusive' Iranian Hacking Group Ensnares Israeli, UAE Aerospace and Defense Firms \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	8 months ago	Iran hacking group impersonates defense firms, hostage campaigners \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	8 months ago	Middle East subjected to suspected Iranian state-backed cyberespionage attacks
DARKReading	8 months ago	'Illusive' Iranian Hacking Group Ensnares Israeli, UAE Aerospace and Defense Firms
CERT-EU	8 months ago	Iran hacking group impersonates defense firms, hostage campaigners
CERT-EU	a year ago	GHOSTPULSE malware loader deployed via fraudulent MSIX app packages
CERT-EU	a year ago	Cybersecurity Awareness Month: Building a use policy for generative AI
CERT-EU	a year ago	Widespread StripedFly malware framework compromise reported in Windows, Linux systems
CERT-EU	a year ago	New federal healthcare cybersecurity toolkit unveiled
CERT-EU	a year ago	New IMAPLoader malware attacks deployed by Iranian threat operation
CERT-EU	a year ago	Millions install mobile adware apps on Google Play
DARKReading	a year ago	APT35 Develops Mac Bespoke Malware
CERT-EU	a year ago	Iran-Linked APT35 Targets Israeli Media With Upgraded Spear-Phishing Tools
CERT-EU	a year ago	Iranian Tortoiseshell Hackers Targeting Israeli Logistics Industry - GIXtools