The company said in a blog post that the group had been active at least since July 2018 and that it had identified 11 organisations which had come under attack.
Symantec's blog post comes a few days after Saudi Arabian oil installations came under attack, allegedly by Iranian missiles.
Though no attribution was made regarding Tortoiseshell, Symantec mentioned that tools associated with APT34 [aka OilRig or Crambus], an actor that has been associated with Iran, had been used by Tortoiseshell.
The custom tool used was malware known as Backdoor.Syskit, a backdoor that had been developed using Delphi and .NET. Apart from this, common attack tools like two versions of Infostealer and get-logon-history.ps1 were also used by Tortoiseshell, Symantec claimed.
"The initial infection vector used by Tortoiseshell to get onto infected machines has not been confirmed, but it is possible that, in one instance, a Web server was compromised to gain access by the attacker," the Symantec post said.
"For at least one victim, the first indication of malware on their network was a Web shell. This indicates that the attackers likely compromised a Web server, and then used this to deploy malware onto the network."
The post said IT providers were a profitable source when it came to attacks, as they often had high-level access to clients' computers. This meant that the networks of the clients were open to infiltration without having to be compromised.
In June, Symantec claimed that a well-known attack group known as Turla, Snake or Waterbug appeared to have hijacked and used the infrastructure of APT34.
And in March, Symantec posted details about a group it called Elfin or APT33 which it said had been attacking organisations in the US and Saudi Arabia.