Tortoiseshell

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Tortoiseshell is a prominent threat actor associated with multiple Iranian Advanced Persistent Threat (APT) groups, including MASN. It has been linked to a multi-year cyberattack campaign that targeted over a dozen US companies and government entities, including the Department of the Treasury. The campaign was discovered by Google Cloud's Mandiant and appears to be linked to the Iranian threat group UNC1549, also known as Smoke Sandstorm and Tortoiseshell. This group executes spear phishing and watering-hole attacks for credential harvesting and dropping malware. The activity of this group bears similarities to previous operations attributed to Tortoiseshell, which has been linked to Iran's Islamic Revolutionary Guard Corps (IRGC). In addition to targeting US entities, UNC1549, aka Tortoiseshell, has been active in the Middle East, targeting aerospace and defense firms in Israel, the United Arab Emirates, and other countries in the region. The campaigns are typically customized for each targeted organization, demonstrating a high level of sophistication and strategic planning. In 2021, Facebook took action against a group of Iranian cybercriminals dubbed "Tortoiseshell" by threat researchers at Symantec, who found links to Mahak Rayan Afraz. According to Facebook, Tortoiseshell appeared to have outsourced its malware development, a portion of which it attributed to Nasab’s firm, alleged to have ties to Iran’s Revolutionary Guard Corps. This outsourcing of malware development indicates a significant evolution in the group's modus operandi, suggesting an increased level of complexity and potential threat.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Unc1549
2
UNC1549, also known as Smoke Sandstorm and Tortoiseshell, is a suspected Iranian threat actor targeting the aerospace and defense sectors in the Middle East, specifically Israel and the United Arab Emirates. The group's activities have been discovered and tracked by Google Cloud’s Mandiant, who have
APT35
2
APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Smoke Sandstorm
2
Smoke Sandstorm, also known as UNC1549 and Tortoiseshell, is a threat actor linked to Iran that has been implicated in a series of malicious cyber activities. The group's campaign was discovered by Google Cloud’s Mandiant and involves spear phishing and watering-hole attacks aimed at harvesting cred
Imperial Kitten
2
Imperial Kitten, also known as Tortoiseshell and UNC1549, is a significant threat actor identified by cybersecurity firms CrowdStrike and Mandiant. The group has been associated with various malicious activities, including the distribution of malware through SWC, and the use of IMAPLoader and other
Charming Kitten
2
Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, also known as ITG18, Phosphorous, and TA453, is a significant cybersecurity threat. This threat actor has been associated with numerous malicious activities, exhibiting advanced and sophisticated social-engineering efforts. The grou
Masn
1
MASN, also known as Mehrsam Andisheh Saz Nik, is a threat actor identified as being associated with several Iranian Advanced Persistent Threat (APT) groups, including Tortoiseshell. This entity has been linked to a multi-year cyber campaign that targeted over a dozen U.S. companies and government en
Mahak Rayan Afraz
1
Mahak Rayan Afraz, an Iranian company posing as a cybersecurity service provider, has been identified as a threat actor involved in a series of cyberattacks. In 2021, Facebook took action against an Iranian cybercriminal group known as "Tortoiseshell", which was linked to Mahak Rayan Afraz according
TA453
1
TA453, also known as Charming Kitten, APT35, Phosphorus, and Ballistic Bobcat, is a threat actor attributed to the Iranian government. This group has been involved in numerous cyber espionage campaigns against various entities worldwide, with notable incidents involving an attack on a close affiliat
CURIUM
1
Curium, also known as Crimson Sandstorm, is an Iranian threat actor group that has been meticulously targeting users over time. Unlike other threat actors who commonly utilize phishing emails, Curium employs a unique approach by creating a network of fictitious social media accounts to build trust w
Ta456
1
TA456, also known as Imperial Kitten, Tortoiseshell, and Crimson Sandstorm, is a threat actor believed to be based in Iran. This group has been implicated in various cyber-espionage activities, leveraging social engineering tactics and malware distribution to compromise their targets. In one notable
Crimson Sandstorm
1
Crimson Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran, has been identified as a significant threat actor in the cybersecurity landscape. This entity, potentially connected to the Islamic Revolutionary Guard Corps and active since at least 2017, targets victims across diverse se
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Google
Iran
Apt
Malware
Backdoor
State Sponso...
Israel
Mandiant
Facebook
Treasury
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CrimsonUnspecified
1
Crimson is a type of malware that has been used in various cyber-espionage campaigns, notably by ProjectM. The malware was first observed in 2013 and has been continuously employed in attacks alongside other payloads like Capra RAT and Oblique RAT. ProjectM used multiple domains to control the Crims
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Tortoiseshell GroupUnspecified
2
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Tortoiseshell Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
3 months ago
US Sanctions Iranian
CERT-EU
4 months ago
Cyber Security Week in Review: March 1, 2024
CERT-EU
4 months ago
US charges Iranian with attacks against defense contractors • The Register | #cybercrime | #infosec | National Cyber Security Consulting
CERT-EU
4 months ago
Operationalizing NIST CSF 2.0; AI Models Run Amok | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
DARKReading
4 months ago
CISO Corner: Operationalizing NIST CSF 2.0; AI Models Run Amok
CERT-EU
4 months ago
US charges Iranian with attacks against defense contractors
CERT-EU
4 months ago
'Illusive' Iranian Hacking Group Ensnares Israeli, UAE Aerospace and Defense Firms | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
4 months ago
Iran hacking group impersonates defense firms, hostage campaigners | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
5 months ago
Middle East subjected to suspected Iranian state-backed cyberespionage attacks
DARKReading
5 months ago
'Illusive' Iranian Hacking Group Ensnares Israeli, UAE Aerospace and Defense Firms
CERT-EU
5 months ago
Iran hacking group impersonates defense firms, hostage campaigners
CERT-EU
8 months ago
GHOSTPULSE malware loader deployed via fraudulent MSIX app packages
CERT-EU
9 months ago
Cybersecurity Awareness Month: Building a use policy for generative AI
CERT-EU
9 months ago
Widespread StripedFly malware framework compromise reported in Windows, Linux systems
CERT-EU
9 months ago
New federal healthcare cybersecurity toolkit unveiled
CERT-EU
9 months ago
New IMAPLoader malware attacks deployed by Iranian threat operation
CERT-EU
9 months ago
Millions install mobile adware apps on Google Play
DARKReading
a year ago
APT35 Develops Mac Bespoke Malware
CERT-EU
a year ago
Iran-Linked APT35 Targets Israeli Media With Upgraded Spear-Phishing Tools
CERT-EU
a year ago
Iranian Tortoiseshell Hackers Targeting Israeli Logistics Industry - GIXtools