Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the Netherlands have fallen victim to a new cyber espionage campaign led by the Türkiye-nexus threat actor known as Sea Turtle. The attack, as revealed by Dutch security firm Hunt & Hackett, strategically targeted susceptible infrastructure with the potential for supply chain and island-hopping attacks. Sea Turtle, also recognized as Cosmic Wolf and UNC1326, has a history dating back to January 2017, primarily using DNS hijacking. The group’s activities, which involve collecting politically motivated information, have evolved to employ a Linux/Unix reverse TCP shell named SnappyTCP for stealthy attacks carried out between 2021 and 2023.
Microsoft’s observations in late 2021 highlighted Sea Turtle’s intelligence collection efforts aligned with strategic Turkish interests, spanning countries like Armenia, Cyprus, Greece, Iraq, and Syria. The group targets telecom and IT companies, aiming to establish a foothold upstream of their intended targets through the exploitation of known vulnerabilities. Recent findings from Hunt & Hackett indicate that Sea Turtle remains a covert and espionage-focused threat actor, utilizing defense evasion techniques to go unnoticed while harvesting email archives. In one observed attack in 2023, the threat actor used a compromised-but-legitimate cPanel account as an initial access vector to deploy SnappyTCP and accessed a public web directory to potentially exfiltrate an email archive, demonstrating the group’s persistence and adaptability.
Sea Turtle’s tactics involve utilizing SnappyTCP, a reverse TCP shell for Linux/Unix with basic command-and-control capabilities, for creating secure connections over TLS. The latest campaign showcases the threat actor’s ability to exploit vulnerabilities in the supply chain and utilize sophisticated attack vectors, highlighting the ongoing and evolving nature of cyber threats. The stealthy approach and the focus on politically motivated information collection suggest Sea Turtle’s intent to conduct surveillance or intelligence gathering on specific individuals and minority groups, emphasizing the need for enhanced cybersecurity measures and vigilance against such advanced threat actors.
