January 8, 2024 at 09:54AM
A cyberespionage group, likely linked to Turkey, named Sea Turtle, Cosmic Wolf, Marbled Dust, Silicon, and Teal Kurma, has been targeting public and private organizations in the Netherlands. The group, observed by Dutch incident response provider Hunt & Hackett, conducted multiple espionage campaigns focusing on government, telecommunications, media, NGOs, ISPs, and IT services providers. The group is suspected of using stolen information for surveillance and intelligence gathering, employing defense evasion techniques to avoid detection. The group was initially detailed in 2019 and resurfaced recently, using a reverse shell for Linux/Unix systems. The group is believed to have exploited known vulnerabilities for initial access since at least 2017, and a publicly accessible GitHub repository has been identified as hosting some of the shell’s code. StrikeReady published an analysis regarding Sea Turtle, providing indicators of compromise associated with the group’s activities.
From the meeting notes, it appears that there is a state-supported cyberespionage group, likely affiliated with Turkey, targeting public and private entities in the Netherlands for intelligence gathering. The group, known by several names such as Sea Turtle, Cosmic Wolf, Marbled Dust, Silicon, and Teal Kurma, has focused on government, telecommunications, media, NGOs, ISPs, and IT services providers in the country, with a particular focus on telecoms, media, ISP, and IT services organizations as well as Kurdish websites, including those affiliated with the Kurdistan People’s Congress (PKK).
The group utilizes supply chain and island-hopping attacks to collect politically motivated information such as personal information on minority groups and potential political dissents. They have been observed executing defense evasion techniques to avoid detection, intercepting internet traffic to victim websites, and potentially granting unauthorized access to government networks and other organizations.
Sea Turtle has been previously detailed in 2019 for its use of complex DNS hijacking techniques and more recently came into the spotlight with PwC’s analysis of ‘SnappyTCP’, a reverse shell for Linux/Unix systems that the group has been using since 2021. The APT has been exploiting known vulnerabilities for initial access since at least 2017 and is believed to have continued doing so over the past three years. They use a simple reverse TCP shell for Linux with basic command-and-control (C&C) capabilities, and it seems that their shell’s code is identical to code found in a publicly accessible GitHub repository.
In late December, StrikeReady published its own analysis of Sea Turtle, providing indicators of compromise (IoCs) associated with the threat actor’s activities. This further highlights the ongoing cyberespionage activities of this APT group.
Let me know if you need more detailed or specific information from these meeting notes.