Turkish APT Sea Turtle Resurfaces to Spy on Kurdish Opposition

  /     /     /  
Publicated : 23/11/2024   Category : security

Turkish APT Sea Turtle Resurfaces to Spy on Kurdish Opposition


An old state-aligned threat actor is back on the radar, thanks to recent EMEA espionage campaigns against a minority ethnic group.


A group aligned with the interests of the government of Turkey has been turning up its politically motivated cyber espionage lately, targeting Kurdish opposition groups through high-value supply chain targets in Europe, the Middle East, and North Africa.
Following some years out of the limelight, Sea Turtle (aka Teal Kurma, Marbled Dust, Silicon, or Cosmic Wolf) is now back under scrutiny, most recently thanks to multiple campaigns targeting organizations in the Netherlands,
tracked by the research group Hunt & Hackett
. Since 2021, victims of these campaigns have spanned targets in media, telecommunications, internet service providers, and IT service providers, with a specific focus on reaching websites associated with Kurds and the Kurdistan Workers Party (PKK).
Turkey has been in conflict with Kurdish opposition groups, primarily represented by the PKK, for decades.
Tens of thousands
of ethnic Kurds live in the Netherlands.
You can imagine that an attacker aligning with Turkish political interests has significant interest in where the dissident Kurds are in Europe, warns one member of the Hunt & Hackett research team, who chose to remain anonymous for this story.
Evidence of Sea Turtle activity dates back to 2017, but the group was only
first discovered in 2019
. By that time, it had already compromised more than 40 organizations — including many in government and the military — spread across 13 countries, primarily in the Middle East and Africa.
Each of those cases involved a DNS hijack, manipulating targets DNS records so as to redirect incoming traffic to their own servers, before sending them on to their intended destinations.
In years since, news of Sea Turtle has been sparse. But as recent evidence indicates, it never really went away, or even changed that much.
For instance, in a typical campaign from early 2023, Hunt & Hackett researchers observed the group accessing an organizations cPanel Web hosting environment via a VPN connection, then using it to drop an information-gathering Linux reverse shell called SnappyTCP.
Exactly how Sea Turtle obtains the credentials necessary to carry out its Web traffic interception is unclear, the Hunt & Hackett researcher admits, but the options available to them are myriad.
It could be so many things, because its a Web server. You could try and brute force it, you could try leaked credentials, basically anything, especially if the people hosting that Web server are managing it themselves. That could be the case if its a smaller organization, where security is something thats on their agenda, but maybe not so high [up in priority]. Password reuse, standard passwords, we see them all too often everywhere in the world.
It might not have been overly sophisticated, if the rest of the attack is anything to go by. For example, one might expect a nation-state-aligned espionage group to be highly evasive. Indeed, Sea Turtle did take some basic precautions like overwriting Linux system logs. On the other hand, it hosted many of its attack tools on a
standard, public (since removed) GitHub account
.
In the end, though, the attacks were at least moderately successful. There was a lot of information going over the line, the researcher says, perhaps the most sensitive instance being an entire email archive stolen from an organization with close ties to Kurdish political entities.
Hunt & Hackett tracks ten APT groups operating in Turkey. Not all are aligned with the state, and a couple belong to the Kurdish opposition, but even with that caveat, the country seems to receive proportionately less press than many of its counterparts.
That, the researcher says, is partially due to size.
If you look at the Lazarus Group, thats 2,000 people working for North Korea. China has entire hacking programs that are state-sponsored. The sheer volume of attacks from those countries makes them more known and more visible, he says.
However, he adds, it may also have to do with the nature of the governments goals in cyberspace, as the main thing they are known for is political espionage. They want to know where the dissidents are. They want to find the opposition, want to know where theyre at. So the difference with the Iranians, the Russians, is they tend to be a bit more present — especially the Russians, if they deploy ransomware, which is kind of their MO.
You notice ransomware, he says. Espionage tends to go unnoticed.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Turkish APT Sea Turtle Resurfaces to Spy on Kurdish Opposition