Researchers have observed Sea Turtle cyber espionage group targeting telcos, media, ISPs, IT service providers, and Kurdish websites in the Netherlands.
Active since at least 2017, the Sea Turtle APT group focuses primarily on targeting organizations in Europe and the Middle East. Between 2017 and 2019, the APT group mainly used DNS hijacking in its campaigns.
The group targets government entities, Kurdish (political) groups like PKK, telecommunication, ISPs, IT-service providers, NGO, and Media & Entertainment sectors;
The group enhanced its evasion capabilities. In October 2021, Microsoft observed the group conducting intelligence gathering aligned with strategic Turkish interests.
The group targeted the infrastructure with supply chain and island-hopping attacks. The threat actors gathered personal information on minority groups and potential political dissents.
The stolen information is likely to be exploited for surveillance or intelligence gathering on specific groups and or individuals. This appears to be consistent with claims from US officials in 2020 about hacker groups acting in Turkey’s interest, focusing on the identities and locations of the victims, which included governments of countries that are geopolitically significant to Turkey.
The modus operandi of the group includes intercepting internet traffic to victim websites, and potentially granting unauthorized access to government networks and other organizations.
During one of the most recent campaigns in 2023, the APT group employed a reverse TCP shell named SnappyTCP to target Linux/Unix systems.
Sea Turtle also used code from a publicly accessible GitHub account, which is likely under the control of the threat actor. The researchers also observed the cyber spies compromising cPanel accounts and using SSH to achieve initial access to the environment of a target’s organization.
Hunt & Hackett also observed the threat actor collecting at least one e-mail archive of one of the multiple victim organizations.
Organizations to implement and govern defense in depth strategy like strong lassword policies with mandatory MFA. Keep software up-to-date and restrict internet access to the systems. Disable the critical ports and privilege account usage.
Indicators of Compromise
- 82.102.19[.]88
- 62.115.255[.]163
- 193.34.167[.]245
- forward.boord[.]info
- f1a4abd70f8e56711863f9e7ed0a4a865267ec7
Nice information