The Turkish state-backed cyber espionage group tracked as Sea Turtle has been carrying out multiple spying campaigns in the Netherlands, focusing on telcos, media, internet service providers (ISPs), and Kurdish websites.
Previously, Sea Turtle, also known as Teal Kurma and Cosmic Wolf, focused on the Middle Eastern region, as well as Sweden and the United States, using techniques like DNS hijacking and traffic redirection to perform man-in-the-middle attacks against government and non-government organizations, media, ISPs, and IT service providers.
The recent expansion to the Netherlands was observed by analysts at Hunt & Hackett, who report that Sea Turtle remains a threat group of moderate sophistication, primarily using known flaws and compromised accounts for initial access while failing to hide their activity trace effectively.
The recent attacks
Hunt & Hackett says it has observed Sea Turtle activity in the Netherlands between 2021 and 2023, with new techniques and malware being introduced recently.
The attacks target specific organizations and appear to be focused on acquiring economic and political intelligence that aligns with the Turkish state’s interests.
“These cyberattacks are believed to be orchestrated by Sea Turtle operating in alignment with Turkish interests, signaling an escalation in Turkey’s pursuit of objectives within the Netherlands,” reads the report.
“The campaigns observed in the Netherlands appear to focus on telecommunication, media, ISPs, and IT-service providers and more specifically Kurdish websites (among others PPK affiliated).”
Initial access in the observed attacks is achieved by using compromised cPanel accounts to SSH onto the target infrastructure.
A new tool deployed in the recent Sea Turtle attacks is ‘SnappyTCP,’ an open-source reverse TCP shell for Linux that offers basic command and control (C2) capabilities.
The tool remains active on the system to serve as a persistent backdoor by using the ‘NoHup’ command, preventing its termination even when the threat actors have logged out.
The researchers also report seeing the installation of the Adminer database management tool in the public directory of one of the compromised cPanel accounts, giving them persistent data access and SQL command execution capabilities.
For evasion, Sea Turtle overwrites Linux system log files and unsets the command (Bash) and MySQL history files to erase the trace of their presence and activities.
Also, Hunt & Hackett have logged multiple cases of the threat actors connecting to the compromised cPanel accounts using a virtual private network (VPN) tool.
Finally, when it comes to data exfiltration, the attackers created copies of email archives from compromised cPanel accounts and placed them in the public web directory of a website, making them available for downloading.
The SnappyTCP tool, like most reverse shells, can also be used for data exfiltration directly to the C2 server using TCP or HTTP connections.
Hunt & Hackett have seen no cases of post-compromise credential theft, lateral movement attempts, or data manipulation/wiping in these attacks.
Despite Sea Turtle’s techniques being classified as moderately sophisticated, the group continues to pose a significant threat to organizations globally.
Recommendations for mitigating this threat include deploying strict network monitoring, enabling MFA on all critical accounts, and reducing SSH exposure to the minimum required systems.