Turkish espionage campaigns in the Netherlands

Background, Motivations & Targets 

Hunt & Hackett believes that Sea Turtle is a Turkey based Advanced Persistent Threat (APT) actor that is motivated by espionage by means of information theft that targets public and private entities. From 2017 to 2019, this actor has been mainly known for DNS hijacking[1] to achieve their ultimate objectives. The threat actor has since continued to target similar sectors but has altered its capabilities in a likely attempt to evade detection. Since then, the public information on this threat actor has remained limited. In October 2021, Microsoft[2] shed light on SILICON, also recognized as Sea Turtle[3], revealing their pursuit of intelligence gathering aligned with strategic Turkish interests. Other organizations such as the Greek National CERT[4] have observed this actor as well and shared a number of Indicators of Compromise (IOCs) related to this group and their modus operandi in 2022. Other than that, the flow of information has remained limited, and this actor seemed to be operating primarily under the radar. The limited public knowledge base was recently enriched with the PwC threat intelligence report[5] ‘The Tortoise and The Malwahare’, and a  blogpost by StrikeReady[6], detailing this threat actor’s methods.   

What is known to date is that the Sea Turtle group focuses primarily on targeting organizations in Europe and the Middle East. Research suggests this threat actor primarily focuses on governmental bodies, Kurdish (political) groups such as PKK, NGOs, telecommunication entities, ISPs, IT service providers, and Media & Entertainment organisations, mainly aiming at repositories housing valuable and sensitive data. As noted by PwC, telecommunication companies safeguard customer information such as metadata pertaining to website connections and call logs. Additionally, companies providing technological services such as ISP hosting, IT, and cybersecurity are susceptible to attacks directly or through supply chains and island-hopping strategies. When successful, the stolen information is then most likely utilized for surveillance or gathering intelligence on specific targets. The modus operandi of Sea Turtle involves intercepting internet traffic directed at victimized websites, potentially allowing unauthorized access to government networks and other organizational systems. This targeting approach aids in associating actions with the threat actor and provides valuable insights for organizations operating within similar geographic zones or sectors. Their use of a reverse shell mechanism in operations streamlines the collection and extraction of sensitive data, furthering their agenda. An in-depth analysis of victimology reveals the specific types of data sought by this threat actor. 

Sea Turtle campaigns in the Netherlands

Hunt & Hackett observed Sea Turtle conducting multiple campaigns in the Netherlands. The modus operandi used in these attacks is largely consistent with the modus operandi and information published in the earlier mentioned threat intelligence reports.   

Our investigation into one of their attacks indicated that this group exhibits characteristics of a state-supported cyber espionage group, primarily focused on acquiring economic and political intelligence through espionage with the aim of advancing Turkey’s interests. Hunt & Hackett has started tracking this group and has observed more campaigns from this threat actor targeting specific organizations in the Netherlands. These cyberattacks are believed to be orchestrated by Sea Turtle operating in alignment with Turkish interests, signalling an escalation in Turkey's pursuit of objectives within the Netherlands.   

The campaigns observed in the Netherlands appear to focus on telecommunication, media, ISPs and IT-service providers and more specifically Kurdish websites (among others PKK affiliated). The infrastructure of the targets was susceptible to supply chain and island-hopping attacks, which the attack group used to collect politically motivated information such as personal information on minority groups and potential political dissents. The stolen information is likely to be exploited for surveillance or intelligence gathering on specific groups and or individuals. This appears to be consistent with claims from US officials in 2020 about hacker groups acting in Turkey’s interest, focusing on the identities and locations of the victims, which included governments of countries that are geopolitically significant to Turkey[7].   

Hunt & Hackett has observed the threat actor executing defense evasion techniques to avoid being detected, and the threat actor has also been observed collecting potentially sensitive data such as email archives. Their modus operandi includes intercepting internet traffic to victim websites, and potentially granting unauthorized access to government networks and other organizations. 

Key Observations

Before diving into the nitty gritty details, Hunt & Hackett would like to provide a summary of key observations. These key points of the overall analysis were specific for the campaigns observed in the Netherlands: 

• Hunt & Hackett has observed campaigns from the threat actor between 2021 and 2023, where during one of the most recent campaigns in 2023, a reverse TCP shell named SnappyTCP for Linux/Unix with basic command-and-control capabilities has been used to establishing persistence on systems; 
• Hunt & Hackett has observed the threat actor to use code from a publicly accessible GitHub account, assess with high probability that this account is controlled by the threat actor. Upon request a copy of this GitHub account can be provided, since the repository has been taken down either by GitHub, or the user; 
• Hunt & Hackett has observed the threat actor compromising cPanel accounts and using SSH to achieve initial access to the IT-environment of an organization; 
• Hunt & Hackett has observed the threat actor executing defense evasion techniques to avoid being detected, and; 
• Hunt & Hackett has observed the threat actor collecting at least one e-mail archive, of one of the multiple victim organizations. 

Modus Operandi

MITRE ATT&CK is a framework of adversary tactics and techniques based on real-world observations. Leveraging this framework helps to understand and document the attack path per phase, as shown in Table 1. The first column describes the tactical goal, the reason for performing an action by the threat actor. Next to which the corresponding findings are described to validate the modus operandi and compared the observations of the recent threat report of PwC and StrikeReady with the observations of Hunt & Hackett to validate the modus operandi of Sea Turtle. 

Table 1 - Overview of the attacker activity mapped to the MITRE ATT&CK framework and compared with the observations of PwC 

Technical Campaign Details

While researching this actor, the most recent campaigns observed by Hunt & Hackett, were initiated early 2023 when the threat actor targeted multiple organizations. During one of the attacks, the threat actor logged on to cPanel, a web hosting control panel used by multiple organizations world-wide, from an IP address[8] that belonged to the range of a VPN provider. This was a legitimate cPanel account, compromised by the attacker. Unfortunately, it is unclear how they obtained access to the cPanel credentials. Days later a cPanel WebMail session was created for that same cPanel account, when it logged on from an IP address[9] belonging to the range of a hosting provider. In addition, the account was used to perform an SSH logon from that same IP-address. Following these logons, source codes files of a reverse shell written in the programming language ‘C’ were downloaded from that .245 IP-address. These source code files were then compiled using GCC. Analysis of the source code files revealed that they contained specific code identical to a reverse shell[10] that was stored in a publicly accessible GitHub repository[11] that is believed to be used by the Sea Turtle attack group. Independent from Hunt & Hackett, PwC recently observed usage of this reverse shell named SnappyTCP and similarly attributed this to the threat actor Sea Turtle.  

Before executing SnappyTCP using the tool NoHup, the domain name forward.boord[.]info and port 443 was written to a configuration file, with which it connected over TCP using HTTP to establish a command-and-control (C&C) channel. NoHup ensured SnappyTCP remained running on the system even after the shell or terminal was exited. At the end of the SSH session anti-forensics was performed by unsetting the command history (Bash) and MySQL history file, and overwriting Linux system logs.  

Weeks later, the cPanel Web Disk Feature accepted another connection. This was an indication that the threat actor was still using this cPanel feature. Based on the actions following the connection, combined with the source being an unfamiliar VPN connection, this activity was classified as malicious. Shortly after, the tool Adminer[12] was installed in the public web directory of one of the compromised cPanel accounts. Adminer is a publicly available database management tool that can be used to remotely logon to the MySQL service of a system. The earlier identified Github repository stores the source code of SnappyTCP, as well as the tool Adminer which indicated that the threat actor was using the software hosted in the earlier mentioned GitHub repository.   

Several weeks after the second cPanel Web Disk connection, the threat actor logged on to cPanel from the VPN provider M247 (82.102.19[.]88), which can be interpreted as the compromise of a second cPanel account. Subsequently, a logon was performed on the same cPanel account and a WebMail session was created for that cPanel account.  

Finally, using SnappyTCP the threat actor sent commands to the system to create a copy of an e-mail archive created with the tool tar, in the public web directory of the website that was accessible from the internet. It is highly likely that the threat actor exfiltrated the e-mail archive by downloading the file directly from the web directory.   

Command & Control 

Hunt & Hackett was able to download the source code of the SnappyTCP from one of the servers used by Sea Turtle (http[://]193.34.167[.]245/c00n/connn.c) alongside other files. As previously described, the SnappyTCP malware reads a config file that contains a domain name and port number. Depending on the version of the malware and whether the connection must be encrypted or not, the malware does an HTTP GET with the request URI ‘sy.php’. If the header ‘X-Auth-43245-S-20’ is returned by the server, SnappyTCP then checks if output has sufficient size and if the first character does not start with an ‘@’. If this is the case, a reverse shell is spawned using the IP and port returned by the server. Otherwise, the whole sequence will restart after a short amount of sleep.   

The command-and-control (C&C) channel is setup with what Hunt & Hackett believes is a form of Socat, as detected by the THOR APT Scanner on Virustotal[13]. This also collaborates with the fact that Socat shares the same commandline characteristics and the fact that Socat was also found on the same server (http[://]193.34.167.245/c00n/socat). Running the tool Socat (or a modified version of it) targeting known C&C servers of Sea Turtle resulted mostly in the HTTP response ‘@8.8.8.8:443’. Since the code checks if the start of the string starts with ‘@’, this output is ignored. As shown in Table 2, the C&C servers of Sea Turtle returned the IP-addresses and a domain name related to DNS services of Google, during the time of writing. 

Table 2 - The response returned by command-and-control servers used by Sea Turtle

At the time of writing it’s unknown if these C&C servers are used to setup C&C channels for a long period by changing from C&C server when necessary of if they serve use in other campaigns.

Recommendations

During analysis of the campaigns by Sea Turtle, multiple observations were made. These observations all introduced cyber security risks, or directly contribute possibility of conducting similar attacks. Therefore Hunt & Hackett recommends organizations such as telecommunication providers, ISPs and managed service provider within the IT domain, to address the following recommendations to reduce both the attack surface as well as the likelihood of becoming a victim of this threat actor.  

• Deploy EDR and monitor systems for network connections executed processes, file creation/modification/deletion and account activity, and store logfiles in a central location. Ensure sufficient storage capacity for historic forensic investigation purposes. 
• Create and enforce a password policy with adequate complexity requirements for specific accounts. 
• Store passwords in a secrets management system, that can also be used by development environments. 
• Limit logon attempts on accounts to reduce the chance of successful brute force attacks. 
• Enable 2FA on all externally exposed accounts. 
• Keep software up to date to reduce number of vulnerabilities in externally exposed systems. 
• Reduce the number of systems that can be reached over internet using SSH. Where this is still necessary, it is recommended to implement an SSH-logon rate-limit. 
• Implement egress network filtering to prevent malicious processes such as reverse shells to successfully sent network traffic to not-allowed IP-addresses. 

Appendix 1: Indicators of Compromise

This appendix provides an overview of the indicators of compromise that have been observed by Hunt & Hackett while tracking the threat actor Sea Turtle, in addition to indicators published by PwC[5] and StrikeReady[6]. 

Table 3 - Indicators of compromise of the threat actor Sea Turtle 

References

[1] DNS Hijacking Abuses Trust In Core Internet Service - Cisco Talos (talosintelligence.com)

[2] Microsoft Digital Defense Report (2021)

[3] How Microsoft Names Threat Actors (microsoft.com)

[4] Η Εθνική Αρτή Ανηιμεηώπιζης Ηλεκηρονικών Επιθέζεων μας ενημέρωζε για ηα παρακάηω

[5] The Tortoise and The Malwahare - PwC (pwc.com)

[6] Pivoting through a Sea of indicators to spot Turtles - Strike Ready (blog.strikeready.com)

[7] Exclusive: Hackers acting in Turkey’s interests believed to be behind recent cyberattacks - Reuters

[8] 62.115.255[.]163

[9]  193.34.167[.]245 

[10] https://www.virustotal.com/gui/file/293703318fab4ad56124d37e6c93d1aecbce4c656782c40fce5d67f3b4149558/details

[11] https[://]github.com/jacksp7/webtest/ 

[12] https://www.adminer.org/

[13] https://www.virustotal.com/gui/file/71c81cb46dd1903f12f3aef844b0fc559f31e2f613a8ae91ffb5630bc7011ef5/community

Questions, concerns or feedback?