Threat Actor ProfileSea Turtle
In the past year, Hunt & Hackett has observed cyberattacks in the Netherlands, which are believed to have been orchestrated by a cyber threat actor operating in alignment with Turkish interests, signalling an escalation in Turkey's pursuit of objectives within Western nations. Hunt & Hackett has started tracking this group known by aliases such as Sea Turtle, Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf. This blog aims to contribute to the current existing knowledge base by aligning our observations with the known modus operandi of this threat actor. The information is intended to help (security) organizations better prepare for and safeguard against the methods and tools used by this APT group.
Request a free membership to access our full research insights
- Aliases: Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf
- Strategic motives: primarily focused on acquiring economic and political intelligence through espionage and information theft that targets public and private entities
- Affiliation: Turkey
- Cyber capabilities: ★★★☆☆
- Target sectors: Government entities, Kurdish (political) groups like the PKK, telecommunication, ISPs, IT-service providers (including security companies), NGO and Media & Entertainment
Origins, Motivations & Targets
Hunt & Hackett believes that Sea Turtle is a Turkey based Advanced Persistent Threat (APT) actor that is motivated by espionage by means of information theft that targets public and private entities. From 2017 to 2019, this actor has been mainly known for DNS hijacking to achieve their ultimate objectives. The threat actor has since continued to target similar sectors but has altered its capabilities in a likely attempt to evade detection. Since then, the public information on this threat actor has remained limited. In October 2021, Microsoft shed light on SILICON, also recognized as Sea Turtle, revealing their pursuit of intelligence gathering aligned with strategic Turkish interests. Other organizations such as the Greek National CERT have observed this actor as well and shared a number of Indicators of Compromise (IOCs) related to this group and their modus operandi in 2022. Other than that, the flow of information has remained limited, and this actor seemed to be operating primarily under the radar. The limited public knowledge base was recently enriched with the PwC threat intelligence report ‘The Tortoise and The Malwahare’, and a blogpost by StrikeReady, detailing this threat actor’s methods.
What is known to date is that the Sea Turtle group focuses primarily on targeting organizations in Europe and the Middle East. Research suggests this threat actor primarily focuses on governmental bodies, Kurdish (political) groups such as PKK, NGOs, telecommunication entities, ISPs, IT service providers, and Media & Entertainment organisations, mainly aiming at repositories housing valuable and sensitive data. As noted by PwC, telecommunication companies safeguard customer information such as metadata pertaining to website connections and call logs. Additionally, companies providing technological services such as ISP hosting, IT, and cybersecurity are susceptible to attacks directly or through supply chains and island-hopping strategies. When successful, the stolen information is then most likely utilized for surveillance or gathering intelligence on specific targets. The modus operandi of Sea Turtle involves intercepting internet traffic directed at victimized websites, potentially allowing unauthorized access to government networks and other organizational systems. This targeting approach aids in associating actions with the threat actor and provides valuable insights for organizations operating within similar geographic zones or sectors. Their use of a reverse shell mechanism in operations streamlines the collection and extraction of sensitive data, furthering their agenda. An in-depth analysis of victimology reveals the specific types of data sought by this threat actor.
Key Observations
Before diving into the nitty gritty details, Hunt & Hackett would like to provide a summary of key observations. These key points of the overall analysis were specific for the campaigns observed in the Netherlands:
- Hunt & Hackett has observed campaigns from the threat actor between 2021 and 2023, where during one of the most recent campaigns in 2023, a reverse TCP shell named SnappyTCP for Linux/Unix with basic command-and-control capabilities has been used to establishing persistence on systems;
- Hunt & Hackett has observed the threat actor to use code from a publicly accessible GitHub account, assess with high probability that this account is controlled by the threat actor. Upon request a copy of this GitHub account can be provided, since the repository has been taken down either by GitHub, or the user;
- Hunt & Hackett has observed the threat actor compromising cPanel accounts and using SSH to achieve initial access to the IT-environment of an organization;
- Hunt & Hackett has observed the threat actor executing defense evasion techniques to avoid being detected, and;
- Hunt & Hackett has observed the threat actor collecting at least one e-mail archive, of one of the multiple victim organizations.
More detailed information about this actor?
Sea Turtle in the Netherlands
Hunt & Hackett observed Sea Turtle conducting multiple campaigns in the Netherlands. The modus operandi used in these attacks is largely consistent with the modus operandi and information published in the earlier mentioned threat intelligence reports.
Our investigation into one of their attacks indicated that this group exhibits characteristics of a state-supported cyber espionage group, primarily focused on acquiring economic and political intelligence through espionage with the aim of advancing Turkey’s interests. Hunt & Hackett has started tracking this group and has observed more campaigns from this threat actor targeting specific organizations in the Netherlands. These cyberattacks are believed to be orchestrated by Sea Turtle operating in alignment with Turkish interests, signalling an escalation in Turkey's pursuit of objectives within the Netherlands.
The campaigns observed in the Netherlands appear to focus on telecommunication, media, ISPs and IT-service providers and more specifically Kurdish websites (among others PKK affiliated). The infrastructure of the targets was susceptible to supply chain and island-hopping attacks, which the attack group used to collect politically motivated information such as personal information on minority groups and potential political dissents. The stolen information is likely to be exploited for surveillance or intelligence gathering on specific groups and or individuals. This appears to be consistent with claims from US officials in 2020 about hacker groups acting in Turkey’s interest, focusing on the identities and locations of the victims, which included governments of countries that are geopolitically significant to Turkey.
Hunt & Hackett has observed the threat actor executing defense evasion techniques to avoid being detected, and the threat actor has also been observed collecting potentially sensitive data such as email archives. Their modus operandi includes intercepting internet traffic to victim websites, and potentially granting unauthorized access to government networks and other organizations.