Dutch telecoms, media, internet service providers (ISPs), information technology (IT) service providers and Kurdish websites have become part of a new cyber espionage campaign launched by a Turkish-linked threat group. sea turtle.
Dutch security firm Hunt & Hackett said in a statement on Friday: “Target infrastructure is vulnerable to supply chain and island hopping attacks, which are used by attacker groups to collect politically motivated information, such as the personal information of minority groups and Potential political dissent.” Analysis.
“Stolen information may be used for surveillance or intelligence gathering against specific groups and/or individuals.”
Sea Turtle, also known as Cosmic Wolf, Marbled Dust (formerly Silicon), Teal Kurma, and UNC1326, was originally documented by Cisco Talos in April 2019 and details state-sponsored attacks targeting public and private entities in the Middle East and North. Attack Africa.
Activity associated with the group is believed to have been ongoing since January 2017, primarily utilizing DNS hijacking to redirect potential targets attempting to query specific domains to attacker-controlled servers capable of harvesting their credentials.
“Given the attackers’ methods for targeting various DNS registrars and registries, the Sea Turtle campaign almost certainly poses a more serious threat than DNSpionage,” Talos said at the time.
Microsoft noted that in late 2021, adversaries were conducting intelligence gathering from countries such as Armenia, Cyprus, Greece, Iraq, and Syria to serve Turkey’s strategic interests and attack telecom and IT companies with the goal of “establishing a foothold upstream of their targeted targets.” By exploiting known vulnerabilities.
Last month, attackers were caught using a simple reverse TCP shell for Linux (and Unix) systems called SnappyTCP in attacks carried out between 2021 and 2023, according to PwC’s threat intelligence team. .
“Web shell is a simple reverse TCP shell for Linux/Unix with basic functions [command-and-control] The company says, “There are at least two main variants; one uses OpenSSL to establish a secure connection over TLS, while the other ignores this feature and sends requests in clear text.”
Hunt & Hackett’s latest findings indicate that Sea Turtle remains an organization focused on covert espionage operations, using defense evasion techniques to fly under the radar and collect email archives.
In the attacks observed in 2023, a stolen but legitimate cPanel account was used as the initial access vector to deploy SnappyTCP on the system. It’s unclear how the attackers obtained the credentials.
“Threat actors used SnappyTCP to send commands to the system to create a copy of an email archive created using the tar tool in a public web directory of a website accessible over the Internet,” the company noted.
“Threat actors are likely to steal email archives by downloading files directly from web directories.”
To mitigate the risk posed by such attacks, it is recommended that organizations implement strong password policies, implement two-factor authentication (2FA), limit the rate of login attempts to reduce the chance of brute force attempts, monitor SSH traffic and keep all systems and software up to date.
