Pierluigi Paganini January 07, 2024

Sea Turtle cyber espionage group targeted telco, media, ISPs, IT service providers, and Kurdish websites in the Netherlands.

Researchers from Dutch security firm Hunt & Hackett observed Sea Turtle cyber espionage group (aka Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf) targeting telco, media, ISPs, IT service providers, and Kurdish websites in the Netherlands.

The researchers believe that the Turkey-linked APT Sea Turtle has been active since at least 2017. The Sea Turtle APT group focuses primarily on targeting organizations in Europe and the Middle East. Between 2017 and 2019, the APT group mainly used DNS hijacking in its campaigns.

The group targets government entities, Kurdish (political) groups like PKK, telecommunication, ISPs, IT-service providers (including security companies), NGO, and Media & Entertainment sectors; 

Over the years, the group enhanced its evasion capabilities. In October 2021, Microsoft observed the group conducting intelligence gathering aligned with strategic Turkish interests.

In recent attacks, the researchers targeted the infrastructure of the targets with supply chain and island-hopping attacks. The threat actors gathered personal information on minority groups and potential political dissents.

“The stolen information is likely to be exploited for surveillance or intelligence gathering on specific groups and or individuals.” reads the report published by Hunt & Hackett. “This appears to be consistent with claims from US officials in 2020 about hacker groups acting in Turkey’s interest, focusing on the identities and locations of the victims, which included governments of countries that are geopolitically significant to Turkey”

The modus operandi of the group includes intercepting internet traffic to victim websites, and potentially granting unauthorized access to government networks and other organizations. 

During one of the most recent campaigns in 2023, the APT group employed a reverse TCP shell named SnappyTCP to target Linux/Unix systems. 

Sea Turtle also used code from a publicly accessible GitHub account, which is likely under the control of the threat actor. The researchers also observed the cyber spies compromising cPanel accounts and using SSH to achieve initial access to the environment of a target’s organization.

Hunt & Hackett also observed the threat actor collecting at least one e-mail archive, of one of the multiple victim organizations. 

Below are the recommendations provided by the researchers to mitigate exposure to Sea Turtle attacks:

• Deploy EDR and monitor systems for network connections executed processes, file creation/modification/deletion and account activity, and store logfiles in a central location. Ensure sufficient storage capacity for historic forensic investigation purposes. 
• Create and enforce a password policy with adequate complexity requirements for specific accounts. 
• Store passwords in a secrets management system, that can also be used by development environments. 
• Limit logon attempts on accounts to reduce the chance of successful brute force attacks. 
• Enable 2FA on all externally exposed accounts. 
• Keep software up to date to reduce number of vulnerabilities in externally exposed systems. 
• Reduce the number of systems that can be reached over internet using SSH. Where this is still necessary, it is recommended to implement an SSH-logon rate-limit. 
• Implement egress network filtering to prevent malicious processes such as reverse shells to successfully sent network traffic to not-allowed IP-addresses. 

The report also includes Indicators of Compromise (Iocs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Sea Turtle)