A state-supported cyberespionage group likely affiliated to Turkey has been observed targeting numerous public and private entities in the Netherlands for intelligence gathering, Dutch incident response provider Hunt & Hackett reports.
Over the past year, the advanced persistent threat (APT) actor, tracked as Sea Turtle, Cosmic Wolf, Marbled Dust, Silicon, and Teal Kurma, targeted government, telecommunications, media, and NGO entities, along with ISPs and IT services providers in the country, as part of multiple espionage campaigns.
Sea Turtle, Hunt & Hackett says, mainly focused on telecoms, media, ISP, and IT services organizations, and targeted Kurdish websites, including some that are PKK (Kurdistan People’s Congress) affiliated.
“The infrastructure of the targets was susceptible to supply chain and island-hopping attacks, which the attack group used to collect politically motivated information such as personal information on minority groups and potential political dissents,” the cybersecurity firm notes.
The APT likely used the stolen information for surveillance or intelligence gathering, in line with previously detailed tactics observed in Sea Turtle attacks against organizations in Europe, Middle East, and North Africa.
“Hunt & Hackett has observed the threat actor executing defense evasion techniques to avoid being detected, and the threat actor has also been observed collecting potentially sensitive data such as email archives. Their modus operandi includes intercepting internet traffic to victim websites, and potentially granting unauthorized access to government networks and other organizations,” the cybersecurity firm notes.
Sea Turtle was initially detailed in 2019, when it stood out for its use of complex DNS hijacking techniques. At that time, however, security researchers did not align it with the interests of a government, albeit they did assess the group as being state-sponsored.
The group faded following public disclosure, but made it into the spotlight again a month ago, when PwC published an analysis of ‘SnappyTCP’, a reverse shell for Linux/Unix systems that the group had been using since 2021.
Since at least 2017, the APT has been exploiting known vulnerabilities for initial access, and is believed to have continued doing so over the past three years as well. Following the initial intrusion, the group would run a shell script to drop an executable to the disk.
A simple reverse TCP shell for Linux, the webshell has basic command-and-control (C&C) capabilities and likely allows the attackers to establish persistence. The shell’s code is identical to code found in a publicly accessible GitHub repository, which also hosts other samples used to establish reverse shells.
“It is unclear if the threat actor controls this account or is simply abusing a third party’s code. Given the overlaps between both the code and IP addresses, there is a realistic probability that the threat actor is in control of this account at present. It is highly plausible that the threat actor is also using other code observed on this GitHub, particularly some of the proof-of-concept exploit code for major vulnerabilities,” PwC notes.
In late December, StrikeReady published its own analysis of Sea Turtle, providing indicators of compromise (IoCs) associated with the threat actor’s activities.