January 6, 2024 at 03:33AM
A cyber espionage campaign by the threat actor Sea Turtle targets telecommunication, media, internet service providers, and Kurdish websites in the Netherlands, collecting politically motivated information. Sea Turtle, documented in 2019, uses DNS hijacking and exploits known vulnerabilities, and was found to use a simple reverse TCP shell. Organizations are advised to enforce strong security measures.
Based on the meeting notes, here are the key takeaways:
– A new cyber espionage campaign called Sea Turtle has targeted telecommunication, media, ISPs, IT-service providers, and Kurdish websites in the Netherlands.
– Sea Turtle, also known as Cosmic Wolf, Marbled Dust, Teal Kurma, and UNC1326, has been active since January 2017, primarily using DNS hijacking to redirect targets and collect credentials.
– The adversary aims to meet strategic Turkish interests by targeting countries like Armenia, Cyprus, Greece, Iraq, and Syria and striking telecom and IT companies to establish a foothold upstream of their desired target.
– Recently, Sea Turtle was found using a simple reverse TCP shell called SnappyTCP in attacks between 2021 and 2023, to establish persistence and exfiltrate email archives.
– To mitigate such attacks, organizations are advised to enforce strong password policies, implement two-factor authentication, monitor SSH traffic, and keep systems and software up-to-date.