Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the Netherlands have been targeted as part of a new cyber espionage campaign undertaken by a Turkiye-nexus threat actor known as Sea Turtle.
“The infrastructure of the targets was susceptible to supply chain and island-hopping attacks, which the attack group used to collect politically motivated information such as personal information on minority groups and potential political dissents,” Dutch security firm Hunt & Hackett said in a Friday analysis.
“The stolen information is likely to be used for surveillance or intelligence gathering on specific groups and individuals.”
Sea Turtle, also known by the names Cosmic Wolf, Marbled Dust (formerly Silicon), Teal Kurma, and UNC1326, was first documented by Cisco Talos in April 2019, detailing state-sponsored attacks targeting public and private entities in the Middle East and North Africa.
Activities associated with the group are believed to have been ongoing since January 2017, primarily leveraging DNS hijacking to redirect prospective targets attempting to query a specific domain to an actor-controlled server capable of harvesting their credentials.
Talos said at the time, “The Sea Turtle campaign almost certainly poses a more serious threat than DNSpionage given the actor’s modus operandi in targeting various DNS registrars and registries.”
In late 2021, Microsoft noted that the adversary carries out intelligence collection to meet strategic Turkish interests from countries like Armenia, Cyprus, Greece, Iraq, and Syria, striking telecom and IT companies with an aim to “establish a foothold upstream of their desired target “via exploitation of known vulnerabilities.
Then last month, according to the PricewaterhouseCoopers (PwC) Threat Intelligence team, the adversary was discovered using a simple reverse TCP shell for Linux (and Unix) systems called SnappyTCP in attacks conducted between 2021 and 2023.
“Web Shell is a simple reverse TCP shell for Linux/Unix that has basic [command-and-control] capabilities, and is possibly also used to establish persistence,” the company said. “There are at least two main variants; one that uses OpenSSL to create a secure connection over TLS, while the other omits this capability and sends requests in cleartext.”
Hunt & Hackett’s latest findings show that Sea Turtle remains a covert espionage-focused group, performing defense evasion techniques to fly under the radar and obtain email archives.
In one of the attacks observed in 2023, a compromised-but-legitimate cPanel account was used as the initial access vector to deploy SnappyTCP on the system. At present it is not known how the attackers got these certificates.
“Using SnappyTCP, the threat actor sent commands to the system to create a copy of the email archive created with the tool tar to the website’s public web directory, which could be accessed from the Internet,” the firm said.
“It is highly likely that a threat actor infiltrated the email archive by downloading the file directly from a web directory.”
To mitigate the risks posed by such attacks, it is advised that organizations implement strong password policies, implement two-factor authentication (2FA), rate limit login attempts to reduce the likelihood of brute-force attempts, Monitor SSH traffic and maintain all systems and software updates.
