Cybersecurity firm Hunt & Hackett detected a series of cyberattacks in the Netherlands, believed to be orchestrated by a threat actor acting in the interests of Turkey, that have targeted telecommunication, media, ISPs, and IT-service providers, particularly those associated with Kurdish websites.
The Turkey-based threat actor, which is also known as Teal Kurma, Marbled Dust, SILICON, and Cosmic Wolf, has been active since 2017, primarily gaining notoriety for DNS hijacking to achieve its objectives. While the primary focus remains on Europe and the Middle East, recent observations indicate a shift in tactics, possibly aimed at evading detection.
Sea Turtle has consistently targeted governmental bodies, Kurdish political groups like the PKK, NGOs, telecommunication entities, ISPs, IT service providers, and media and entertainment organizations.
In its recent campaigns spanning 2021 to 2023, the threat actor exploited vulnerabilities in the targets' infrastructure, utilizing supply chain and island-hopping attacks to collect intelligence and personal data of minority groups and potential political dissidents.
The threat actor has displayed evolving capabilities with the use of a reverse TCP shell named SnappyTCP for Linux/Unix during a recent campaign in 2023. The researchers noted that Sea Turtle has been using code from a publicly accessible GitHub account, which has since been taken down.
Sea Turtle has also been observed compromising cPanel accounts and using SSH for initial access to the IT environment of targeted organizations. The threat actor then deployed the SnappyTCP backdoor on the system, though the method of obtaining the credentials remains unknown.
Using SnappyTCP, the attacker sent commands to the system to create a copy of an e-mail archive created with the tool tar, in the public web directory of the website that was accessible from the internet. It is highly likely that the threat actor exfiltrated the e-mail archive by downloading the file directly from the web directory, the researchers noted.