Researchers from Dutch security firm Hunt & Hackett observed Sea Turtle cyber espionage group (aka Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf) targeting telco, media, ISPs, IT service providers, and Kurdish websites in the Netherlands.
The researchers believe that the Turkey-linked APT Sea Turtle has been active since at least 2017. The Sea Turtle APT group focuses primarily on targeting organizations in Europe and the Middle East. Between 2017 and 2019, the APT group mainly used DNS hijacking in its campaigns.
The group targets government entities, Kurdish (political) groups like PKK, telecommunication, ISPs, IT-service providers (including security companies), NGO, and Media & Entertainment sectors;
Over the years, the group enhanced its evasion capabilities. In October 2021, Microsoft observed the group conducting intelligence gathering aligned with strategic Turkish interests.
In recent attacks, the researchers targeted the infrastructure of the targets with supply chain and island-hopping attacks. The threat actors gathered personal information on minority groups and potential political dissents.
“The stolen information is likely to be exploited for surveillance or intelligence gathering on specific groups and or individuals.” reads the report published by Hunt & Hackett. “This appears to be consistent with claims from US officials in 2020 about hacker groups acting in Turkey’s interest, focusing on the identities and locations of the victims, which included governments of countries that are geopolitically significant to Turkey”
The modus operandi of the group includes intercepting internet traffic to victim websites, and potentially granting unauthorized access to government networks and other organizations.
During one of the most recent campaigns in 2023, the APT group employed a reverse TCP shell named SnappyTCP to target Linux/Unix systems.
Sea Turtle also used code from a publicly accessible GitHub account, which is likely under the control of the threat actor. The researchers also observed the cyber spies compromising cPanel accounts and using SSH to achieve initial access to the environment of a target’s organization.
Hunt & Hackett also observed the threat actor collecting at least one e-mail archive, of one of the multiple victim organizations.
Below are the recommendations provided by the researchers to mitigate exposure to Sea Turtle attacks:
The report also includes Indicators of Compromise (Iocs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Sea Turtle)