Welcome back to The Final Hop, today's narrative unfurls the complex saga of Turkey's alleged cyber espionage in the Netherlands, a tale that's as enthralling as it is significant. Join us as we explore the intricate web of digital intrigue and state-sponsored cyber tactics, revealing how modern warfare extends beyond physical battlegrounds into the realm of cyberspace.
Unveiling the Sea Turtle Campaign: Turkey's Digital Intrigue in the Netherlands
Over the past year, Hunt & Hackett has observed a series of cyberattacks in the Netherlands. These attacks are believed to have been orchestrated by a cyber threat actor, known by aliases such as Sea Turtle, Teal Kurma, Marbled Dust, SILICON, and Cosmic Wolf. This group aligns with Turkish interests and signifies an escalation in Turkey's pursuit of objectives within Western nations. This blog post aligns Hunt & Hackett’s observations with the known modus operandi of this threat actor, intending to help security organizations prepare and safeguard against their methods and tools.
Background, Motivations, and Targets
Sea Turtle, a Turkey-based Advanced Persistent Threat (APT) actor, is motivated by espionage and information theft targeting both public and private entities. From 2017 to 2019, they were mainly known for DNS hijacking to achieve their objectives. Microsoft and other organizations like the Greek National CERT have shed light on this group, revealing their pursuit of intelligence aligned with strategic Turkish interests.
The Sea Turtle group primarily targets organizations in Europe, the Middle East, and North Africa, focusing on governmental bodies, Kurdish political groups like PKK, NGOs, telecommunication entities, ISPs, IT service providers, and media & entertainment organizations. They aim to gather valuable and sensitive data, using strategies like intercepting internet traffic and employing reverse shell mechanisms for data collection and extraction.
Sea Turtle Campaigns in the Netherlands
Hunt & Hackett has observed multiple Sea Turtle campaigns in the Netherlands. These campaigns focused on telecommunication, media, ISPs, IT-service providers, and specifically Kurdish websites, including those affiliated with PPK. The group uses supply chain and island-hopping attacks to collect politically motivated information such as personal data on minority groups and political dissidents.
Modus Operandi and Threat Actor Highlights
Sea Turtle's modus operandi includes redirecting user traffic, obtaining valid encryption certificates, performing man-in-the-middle attacks to harvest credentials, and gaining initial access to targeted organization’s networks. Despite being moderately sophisticated, they primarily exploit public vulnerabilities for initial access and have been observed as sloppy in operational security. They use reverse shell mechanisms to collect and exfiltrate sensitive data.
Hunt & Hackett’s detailed investigation reveals the specific techniques used by Sea Turtle, mapped to the MITRE ATT&CK framework. The group’s tactics range from reconnaissance to execution, persistence, defense evasion, credential access, discovery, lateral movement, collection, command and control, and exfiltration.
Technical Campaign Details and Command & Control
The recent campaigns initiated early 2023 targeted multiple organizations, involving sophisticated techniques like logging into cPanel accounts from compromised IP addresses, downloading and compiling source code files of reverse shells, and setting up command-and-control channels. Sea Turtle used malware like SnappyTCP for persistence and exfiltration, and tools like Adminer for database management.
Final Insights: Navigating the Cyber Espionage Terrain
The story of Turkey's alleged cyber espionage campaigns in the Netherlands, as reported by Hunt & Hackett, is a vivid illustration of the complex landscape of modern digital warfare. Organizations, particularly in sectors like telecommunications, IT, and media, must be vigilant and proactive in their cybersecurity measures. As the digital domain continues to be a battleground for geopolitical interests, understanding these threats and their methodologies is crucial for national and global security.
Stay tuned to The Final Hop for more in-depth analyses and updates on the evolving world of cyber espionage.