Sea Turtle, a group of hackers aligned with the Turkish government, has returned after going undetected since 2020.
Dutch cybersecurity provider, Hunt & Hackett, reported on January 5, 2024, that Sea Turtle has been conducting multiple espionage campaigns in the Netherlands.
These campaigns took place between 2021 and 2023. They targeted telecommunication, media, IT, and internet service providers (ISPs).
The APT group has also targeted Kurdish websites, especially those affiliated with the Kurdistan Workers' Party (PKK).
"The infrastructure of the targets was susceptible to supply chain and island-hopping attacks, which the attack group used to collect politically motivated information such as personal information on minority groups and potential political dissents," the Hunt & Hackett research team wrote.
"The stolen information is likely to be exploited for surveillance or intelligence gathering on specific groups or individuals," it added.
cPanel Compromise and SnappyTCP Malware
Previously known to carry out DNS hijacking, Sea Turtle has deployed new approaches in recent campaigns.
During one of the 2023 operations the group reportedly used a compromised account on cPanel, a web hosting control panel used by multiple organizations worldwide, from an IP address used by a VPN provider.
The cPanel account was used to perform an SSH login from an IP address belonging to a hosting provider. This allowed Sea Turtle to get into the IT infrastructure of its target.
Next, Sea Turtle used the Unix shell Bash to execute malicious commands.
The hacking group used a reverse TCP shell for Linux/Unix operating systems named SnappyTCP, whose source code is available on GitHub, according to a December 2023 PwC report.
SnappyTCP can be used to steal data, install additional malware or launch other attacks.
Shortly after, the tool Adminer was installed in the public web directory of one of the compromised cPanel accounts. Adminer is a publicly available database management tool that can be used to log on to the MySQL service of a system remotely.
Finally, the threat actor sent commands to the system using SnappyTCP to create a copy of an e-mail archive in the public web directory of the website that was accessible from the internet.
The e-mail archive was created using tar, a computer software utility designed to collect files into one archive file for distribution or backup purposes.
“It is highly likely that the threat actor exfiltrated the e-mail archive by downloading the file directly from the web directory,” the Hunt & Hackett report concluded.
Who is Behind Sea Turtle?
Sea Turtle (aka Teal Kurma, Marbled Dust, Silicon, UNC1326, Cosmic Wolf) is an advanced persistent threat (APT) group allegedly tied to, or aligned with, the Turkish government.
Its activities date back to January 2017 and were first documented by Cisco Talos in April 2019. In the initial report, Cisco Talos detailed espionage attacks targeting public and private entities in the Middle East and North Africa.
The group’s motivations are primarily focused on acquiring economic and political intelligence through espionage, and information theft that targets public and private entities.
The group became prominent between 2018 and 2020 when it conducted a series of DNS hijacking campaigns that intercepted traffic of government IT systems in Greece, Cyprus and Iraq.
Microsoft’s Digital Defense Report 2021 noted that the threat actor carries out intelligence collection campaigns in countries like Armenia, Cyprus, Greece, Iraq and Syria. These campaigns aim to meet strategic Turkish interests.
A report published by PwC in early December 2023 introduced the group’s use of SnappyTCP.
Meanwhile, cloud-based security operations provider Strike Ready published a report relating to Sea Turtle on its own blog in late December 2023. The firm focused on a specific Sea Turtle activity: spoofing Kurdish news sites, NGO sites and TV channels in the Arab world.
Read more: Sea Turtle DNS Hijackers Go After More Victims
Recommendations to Prevent Sea Turtle Attacks
In the Hunt & Hackett report the firm shared a list of recommendations to help Sea Turtle’s main targets reduce both the attack surface and the likelihood of becoming a victim.
These include:
- Deploying EDR and monitor systems for network connections executed processes, file creation/modification/deletion and account activity, and storing log files in a central location
- Creating and enforcing a password policy with adequate complexity requirements for specific accounts, and storing passwords in a secrets management system
- Limiting login attempts on accounts to reduce the chance of successful brute-force attacks
- Enabling two-factor/multifator authentication (2FA/MFA) on all externally exposed accounts
- Reducing the number of systems that can be reached over the internet using SSH
- Implementing egress network filtering to prevent malicious processes such as reverse shells from successfully sending network traffic to not-allowed IP addresses