Dutch Cybersecurity Alert: Sea Turtle Targets Key Telecommunication and IT Services

A new cyber-espionage campaign is currently unfolding in the Netherlands, targeting telecommunication companies, internet service providers, IT services, and Kurdish websites. The campaign is attributed to the group known as Sea Turtle, which is linked to Turkey, as reported by the Dutch cybersecurity firm Hunt&Hackett.

According to the firm’s analysis, the infrastructure of the targets is subjected to supply chain attacks and the tactic of “island-hopping.” During the attacks, information related to politics, including personal data about minorities and potential political dissidents, was collected. The stolen data will likely be used for surveillance or gathering intelligence on specific groups or individuals.

The Sea Turtle group, also known under names like Cosmic Wolf, Marbled Dust (formerly Silicon), Teal Kurma, and UNC1326, was first documented by Cisco Talos in April 2019. The report described government-sponsored attacks aimed at public and private organizations in the Middle East and North Africa. Sea Turtle’s activities began in January 2017 and primarily involved DNS Hijacking to redirect victims to malicious servers to steal user credentials.

By the end of 2021, Microsoft indicated that Sea Turtle conducts intelligence gathering that aligns with Turkey’s strategic interests in countries such as Armenia, Cyprus, Greece, Iraq, and Syria. The group attacks telecommunication and IT companies to establish a foothold en route to their desired targets through the exploitation of known vulnerabilities. In December 2023, it was revealed that the group uses a simple reverse TCP shell for Linux (and Unix) systems called SnappyTCP in attacks conducted from 2021 to 2023.

The latest data from Hunt & Hackett shows that Sea Turtle continues to remain a covert espionage group, employing evasion techniques to operate discreetly and amass email archives.

One of the 2023 attacks involved using a compromised but legitimate cPanel account as the initial point of access for deploying SnappyTCP in the system. It is currently unknown how the attackers obtained the cPanel credentials. Using SnappyTCP, the malefactor sent commands into the system to create a copy of the email archive, made using the tar tool, in the site’s public web directory. The hacker likely penetrated the email archive by directly downloading the file from the web directory, the specialists note.

To mitigate risks associated with such attacks, organizations are advised to implement strict password policies, and two-factor authentication, limit the number of login attempts to reduce the likelihood of password brute-forcing, monitor SSH traffic, and update all systems and software.