Telecommunications, media, internet service providers (ISPs), information technology (IT) service providers, and Kurdish websites in the Netherlands have been targeted as part of a new cyber espionage campaign led by a cybercriminal known as Sea Turtle, connected to Türkiye.
What cybersecurity experts tell us about Sea Turtle
“According to an analysis by Dutch security firm Hunt & Hackett, the targets' infrastructure was susceptible to supply chain attacks and 'island-hopping', which the attack group used to gather politically motivated intelligence, such as personal information about minority groups and potential political dissent,” has declared the Dutch company in an analysis published last Friday, adding “The stolen information is likely intended to be exploited for surveillance or intelligence gathering on specific groups and/or individuals.”
Sea Turtle, also known as Cosmic Wolf, Marbled Dust (formerly Silicon), Teal Kurma and UNC1326, was documented first by Cisco Talos in April 2019, with details of attacks promoted by a state aimed at public and private entities in the Middle East and North Africa.
Activities associated with the group are believed to have been ongoing since January 2017, primarily leveraging theDNS hijacking For redirect potential targets seeking to query a specific domain to a perpetrator-controlled server capable of harvesting their credentials.
“Over time, the Sea Turtle campaign almost certainly poses a more serious threat than DNS spying, given the author's methodology in targeting various registrars and DNS registries” Talos said at the time.
As of late 2021, Microsoft has made known that the adversary carries out intelligence collection to satisfy Turkish strategic interests from countries such as Armenia, Cyprus, Greece, Iraq and Syria, targeting telecommunications and IT companies with the aim of “establishing a hold upstream of their desired objective” through the exploitation of known vulnerabilities.
Then, last month, it was revealed that the adversary was using a simple reverse TCP shell for Linux (and Unix) systems called SnappyTCP in attacks conducted between 2021 and 2023, according to the PricewaterhouseCoopers (PwC) Threat Intelligence team.
“The web shell is a simple reverse TCP shell for Linux/Unix that has basic capabilities [command-and-control] and is probably also used to establish persistence” has declared the company. “There are at least two main variations; one that uses OpenSSL to create a secure connection over TLS, while the other omits this capability and sends requests in plain text.”
Hunt & Hackett's latest findings show that Sea Turtle continues to be a stealth spy group, engaged in defense evasion techniques to go unnoticed and collect email archives.
In one of the attacks observed in 2023, a compromised but legitimate cPanel account was used as the initial access vector to deploy SnappyTCP on the system; however at the moment it is not known how the attackers obtained the credentials.
“Using SnappyTCP, the threat actor sent commands to the system to create a copy of an email archive created with the tar tool, in the public web directory of the website accessible from the Internet” the company noted. “It is very likely that the author exfiltrated the email archive by directly downloading the file from the web directory.”
To mitigate the risks of such attacks, organizations are advised to enforce strong password policies, implement two-factor authentication (2FA), limit the number of login attempts to reduce the chances of brute force attacks, monitor SSH traffic, and keep all systems and software up to date.
#Sea #Turtle #hacker #cyberespionage #Netherlands