Identification and Previous Activities:

Sea Turtle, also known as Teal Kurma, Marbled Dust, Silicon, UNC1326, Cosmic Wolf, is an advanced persistent threat (APT) group associated with the Turkish government.

Their activities, documented since January 2017, target economic and political intelligence through espionage, primarily in the Middle East and North Africa.

Previous campaigns involved DNS hijacking in countries like Greece, Cyprus, and Iraq between 2018 and 2020, intercepting government IT systems.

Recent Activities:

Dutch cybersecurity firm Hunt & Hackett revealed Sea Turtle's espionage campaigns in the Netherlands between 2021 and 2023. Targets included telecommunication, media, IT, and internet service providers (ISPs).

They also targeted Kurdish websites linked to the Kurdistan Workers' Party (PKK).

Methods Used:

Sea Turtle utilised supply chain and island-hopping attacks, exploiting vulnerable infrastructure to collect politically motivated information such as personal details of minority groups and potential dissidents.

The stolen information might be used for surveillance or intelligence gathering.

New Approaches and Tools:

Sea Turtle employed a compromised cPanel account, a web hosting control panel, to gain access to IT infrastructure via SSH login and executed malicious commands using the Unix shell Bash.

They utilised a Linux/Unix-based reverse TCP shell called SnappyTCP, available on GitHub, to steal data, install malware, or conduct further attacks.

Adminer, a database management tool, was installed in compromised accounts to access the MySQL service remotely.

They created and likely exfiltrated an email archive from a website's public web directory.

Targets and Reports:

Microsoft's Digital Defense Report 2021 highlighted Sea Turtle's intelligence collection campaigns in several countries aligned with Turkish strategic interests.

Reports from PwC and Strike Ready in December 2023 outlined Sea Turtle's use of SnappyTCP and specific activities spoofing Kurdish news sites and NGO sites in the Arab world.

Sea Turtle's resurgence signifies their evolving tactics, targeting, and utilisation of new tools for espionage aligned with Turkish interests in various regions.

Sources and further reading.

CSRC Content Editor. (n.d.-a). Advanced Persistent Threats - Glossary | CSRC. https://csrc.nist.gov/glossary/term/advanced_persistent_threats

Poireault, K. (2024, January 8). Turkish APT Sea Turtle resurfaces, spies on Dutch IT firms. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/turkish-apt-sea-turtle-resurfaces

Team, H. &. H. R. (2024, January 5). Turkish espionage campaigns in the Netherlands. huntandhackett.com. https://www.huntandhackett.com/blog/turkish-espionage-campaigns