Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the Netherlands have fallen victim to a new cyber espionage campaign conducted by a threat actor known as Sea Turtle. Dutch security firm Hunt & Hackett has analyzed the attack and revealed that the targets’ infrastructure was vulnerable to supply chain and island-hopping attacks. Sea Turtle exploited these weaknesses to gather politically motivated information, including personal data on minority groups and potential dissidents.

Sea Turtle, also known as Cosmic Wolf, Marbled Dust (formerly Silicon), Teal Kurma, and UNC1326, was first identified by Cisco Talos in April 2019. The group has been carrying out state-sponsored attacks on public and private entities in the Middle East and North Africa since January 2017. Their primary method of attack involves DNS hijacking, redirecting targets attempting to query a specific domain to a server controlled by the threat actor. This server is capable of harvesting the victims’ credentials.

According to Talos, the Sea Turtle campaign poses a more severe threat than DNSpionage due to the actor’s methodology in targeting various DNS registrars and registries. Microsoft also reported that the adversary conducts intelligence collection to serve Turkish interests, focusing on countries such as Armenia, Cyprus, Greece, Iraq, and Syria. Their attacks primarily target telecom and IT companies, aiming to establish a foothold upstream of their desired targets by exploiting known vulnerabilities.

In recent months, the PricewaterhouseCoopers (PwC) Threat Intelligence team discovered that Sea Turtle has been using a simple reverse TCP shell called SnappyTCP in their attacks on Linux and Unix systems. This web shell has basic command-and-control capabilities and is likely used for establishing persistence. The team identified at least two main variants of SnappyTCP, one using OpenSSL to create a secure connection over TLS, and the other sending requests in cleartext.

The latest analysis from Hunt & Hackett indicates that Sea Turtle remains a stealthy espionage-focused group, employing defense evasion techniques to avoid detection while harvesting email archives. In one observed attack in 2023, the threat actor used a compromised but legitimate cPanel account as an initial access vector to deploy SnappyTCP on the system. It is currently unknown how the attackers obtained the account credentials. Using SnappyTCP, the threat actor executed commands to create a copy of an email archive in the public web directory of the targeted website, which was accessible from the internet. The threat actor likely exfiltrated the email archive by directly downloading the file from the web directory.

To mitigate the risks posed by such attacks, organizations are advised to enforce strong password policies, implement two-factor authentication (2FA), rate limit login attempts to reduce the chances of brute-force attacks, monitor SSH traffic, and keep all systems and software up-to-date.

The discovery of Sea Turtle’s ongoing cyber espionage campaign highlights the importance of robust cybersecurity measures for businesses and individuals alike. As threat actors continue to evolve their tactics, it is crucial to stay vigilant and take proactive steps to protect sensitive information and networks.

via The Hacker News