Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the Netherlands have fallen victim to a new cyber espionage campaign conducted by a threat actor known as Sea Turtle. Dutch security firm Hunt & Hackett has analyzed the attack and revealed that the targets’ infrastructure was vulnerable to supply chain and island-hopping attacks. Sea Turtle exploited these weaknesses to gather politically motivated information, including personal data on minority groups and potential dissidents.

Sea Turtle, also known as Cosmic Wolf, Marbled Dust (formerly Silicon), Teal Kurma, and UNC1326, was first identified by Cisco Talos in April 2019. The group has been carrying out state-sponsored attacks on public and private entities in the Middle East and North Africa since January 2017. Their primary method of attack involves DNS hijacking, redirecting targets attempting to query a specific domain to a server controlled by the threat actor. This server is capable of harvesting the victims’ credentials.

According to Talos, the Sea Turtle campaign poses a more severe threat than DNSpionage due to the actor’s methodology in targeting various DNS registrars and registries. Microsoft also reported that the adversary conducts intelligence collection to serve Turkish interests, focusing on countries such as Armenia, Cyprus, Greece, Iraq, and Syria. Their attacks primarily target telecom and IT companies, aiming to establish a foothold upstream of their desired targets by exploiting known vulnerabilities.

In recent months, the PricewaterhouseCoopers (PwC) Threat Intelligence team discovered that Sea Turtle has been using a simple reverse TCP shell called SnappyTCP in their attacks on Linux and Unix systems. This web shell has basic command-and-control capabilities and is likely used for establishing persistence. The team identified at least two main variants of SnappyTCP, one using OpenSSL to create a secure connection over TLS, and the other sending requests in cleartext.

The latest analysis from Hunt & Hackett indicates that Sea Turtle remains a stealthy espionage-focused group, employing defense evasion techniques to avoid detection while harvesting email archives. In one observed attack in 2023, the threat actor used a compromised but legitimate cPanel account as an initial access vector to deploy SnappyTCP on the system. It is currently unknown how the attackers obtained the account credentials. Using SnappyTCP, the threat actor executed commands to create a copy of an email archive in the public web directory of the targeted website, which was accessible from the internet. The threat actor likely exfiltrated the email archive by directly downloading the file from the web directory.

To mitigate the risks posed by such attacks, organizations are advised to enforce strong password policies, implement two-factor authentication (2FA), rate limit login attempts to reduce the chances of brute-force attacks, monitor SSH traffic, and keep all systems and software up-to-date.

The discovery of Sea Turtle’s ongoing cyber espionage campaign highlights the importance of robust cybersecurity measures for businesses and individuals alike. As threat actors continue to evolve their tactics, it is crucial to stay vigilant and take proactive steps to protect sensitive information and networks.

via The Hacker News

Security Report News

Security Report News and guest post account. Opinions and views expressed by guest authors are their own and not necessarily endorsed by Security Report Ltd. or our affiliates.

Recent Posts

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

5 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

5 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

5 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

1 year ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

Royal Mail online tracking returns — with a frustrating captcha that works half the time

Mysterious week-long outage impacting the Royal Mail tracking website is subsiding, but with caveats. Meanwhile,…

2 years ago

This website uses cookies.