Connect with us

Hi, what are you looking for?



Turkish Cyberspies Targeting Netherlands

Turkish state-sponsored group Sea Turtle has been targeting multiple organizations in the Netherlands for espionage.

A state-supported cyberespionage group likely affiliated to Turkey has been observed targeting numerous public and private entities in the Netherlands for intelligence gathering, Dutch incident response provider Hunt & Hackett reports.

Over the past year, the advanced persistent threat (APT) actor, tracked as Sea Turtle, Cosmic Wolf, Marbled Dust, Silicon, and Teal Kurma, targeted government, telecommunications, media, and NGO entities, along with ISPs and IT services providers in the country, as part of multiple espionage campaigns.

Sea Turtle, Hunt & Hackett says, mainly focused on telecoms, media, ISP, and IT services organizations, and targeted Kurdish websites, including some that are PKK (Kurdistan People’s Congress) affiliated.

“The infrastructure of the targets was susceptible to supply chain and island-hopping attacks, which the attack group used to collect politically motivated information such as personal information on minority groups and potential political dissents,” the cybersecurity firm notes.

The APT likely used the stolen information for surveillance or intelligence gathering, in line with previously detailed tactics observed in Sea Turtle attacks against organizations in Europe, Middle East, and North Africa.

“Hunt & Hackett has observed the threat actor executing defense evasion techniques to avoid being detected, and the threat actor has also been observed collecting potentially sensitive data such as email archives. Their modus operandi includes intercepting internet traffic to victim websites, and potentially granting unauthorized access to government networks and other organizations,” the cybersecurity firm notes.

Sea Turtle was initially detailed in 2019, when it stood out for its use of complex DNS hijacking techniques. At that time, however, security researchers did not align it with the interests of a government, albeit they did assess the group as being state-sponsored.

The group faded following public disclosure, but made it into the spotlight again a month ago, when PwC published an analysis of ‘SnappyTCP’, a reverse shell for Linux/Unix systems that the group had been using since 2021.

Advertisement. Scroll to continue reading.

Since at least 2017, the APT has been exploiting known vulnerabilities for initial access, and is believed to have continued doing so over the past three years as well. Following the initial intrusion, the group would run a shell script to drop an executable to the disk.

A simple reverse TCP shell for Linux, the webshell has basic command-and-control (C&C) capabilities and likely allows the attackers to establish persistence. The shell’s code is identical to code found in a publicly accessible GitHub repository, which also hosts other samples used to establish reverse shells.

“It is unclear if the threat actor controls this account or is simply abusing a third party’s code. Given the overlaps between both the code and IP addresses, there is a realistic probability that the threat actor is in control of this account at present. It is highly plausible that the threat actor is also using other code observed on this GitHub, particularly some of the proof-of-concept exploit code for major vulnerabilities,” PwC notes.

In late December, StrikeReady published its own analysis of Sea Turtle, providing indicators of compromise (IoCs) associated with the threat actor’s activities.

Related: Turkish Hackers Target Greek Government Websites, Stock Exchange

Related: Sea Turtle’s DNS Hijacking Continues Despite Exposure

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet