Source: Marius Graf via Alamy Stock Photo
A group aligned with the interests of the government of Turkey has been turning up its politically motivated cyber espionage lately, targeting Kurdish opposition groups through high-value supply chain targets in Europe, the Middle East, and North Africa.
Following some years out of the limelight, Sea Turtle (aka Teal Kurma, Marbled Dust, Silicon, or Cosmic Wolf) is now back under scrutiny, most recently thanks to multiple campaigns targeting organizations in the Netherlands, tracked by the research group Hunt & Hackett. Since 2021, victims of these campaigns have spanned targets in media, telecommunications, internet service providers, and IT service providers, with a specific focus on reaching websites associated with Kurds and the Kurdistan Workers' Party (PKK).
Turkey has been in conflict with Kurdish opposition groups, primarily represented by the PKK, for decades. Tens of thousands of ethnic Kurds live in the Netherlands.
"You can imagine that an attacker aligning with Turkish political interests has significant interest in where the dissident Kurds are in Europe," warns one member of the Hunt & Hackett research team, who chose to remain anonymous for this story.
Sea Turtle's Return From Extinction
Evidence of Sea Turtle activity dates back to 2017, but the group was only first discovered in 2019. By that time, it had already compromised more than 40 organizations — including many in government and the military — spread across 13 countries, primarily in the Middle East and Africa.
Each of those cases involved a DNS hijack, manipulating targets' DNS records so as to redirect incoming traffic to their own servers, before sending them on to their intended destinations.
In years since, news of Sea Turtle has been sparse. But as recent evidence indicates, it never really went away, or even changed that much.
For instance, in a typical campaign from early 2023, Hunt & Hackett researchers observed the group accessing an organization's cPanel Web hosting environment via a VPN connection, then using it to drop an information-gathering Linux reverse shell called "SnappyTCP."
Exactly how Sea Turtle obtains the credentials necessary to carry out its Web traffic interception is unclear, the Hunt & Hackett researcher admits, but the options available to them are myriad.
"It could be so many things, because it's a Web server. You could try and brute force it, you could try leaked credentials, basically anything, especially if the people hosting that Web server are managing it themselves. That could be the case if it's a smaller organization, where security is something that's on their agenda, but maybe not so high [up in priority]. Password reuse, standard passwords, we see them all too often everywhere in the world."
It might not have been overly sophisticated, if the rest of the attack is anything to go by. For example, one might expect a nation-state-aligned espionage group to be highly evasive. Indeed, Sea Turtle did take some basic precautions like overwriting Linux system logs. On the other hand, it hosted many of its attack tools on a standard, public (since removed) GitHub account.
In the end, though, the attacks were at least moderately successful. "There was a lot of information going over the line," the researcher says, perhaps the most sensitive instance being an entire email archive stolen from an organization with close ties to Kurdish political entities.
Is Turkey Overlooked in Cyberspace?
Hunt & Hackett tracks ten APT groups operating in Turkey. Not all are aligned with the state, and a couple belong to the Kurdish opposition, but even with that caveat, the country seems to receive proportionately less press than many of its counterparts.
That, the researcher says, is partially due to size.
"If you look at the Lazarus Group, that's 2,000 people working for North Korea. China has entire hacking programs that are state-sponsored. The sheer volume of attacks from those countries makes them more known and more visible," he says.
However, he adds, it may also have to do with the nature of the government's goals in cyberspace, as "the main thing they are known for is political espionage. They want to know where the dissidents are. They want to find the opposition, want to know where they're at. So the difference with the Iranians, the Russians, is they tend to be a bit more present — especially the Russians, if they deploy ransomware, which is kind of their MO."
"You notice ransomware," he says. "Espionage tends to go unnoticed."