Rewterz Threat Alert – New Cyber Espionage Campaign by Sea Turtle APT Targets Dutch IT and Telecom Organizations – Active IOCs

Severity

Medium

Analysis Summary

A new cyber espionage campaign is targeting multiple sectors like media, telecommunication, internet service providers (ISP), Kurdish websites, and information technology (IT) service providers in the Netherlands by a Türkiye-linked threat actor called Sea Turtle.

The targets’ infrastructure is vulnerable to island-hopping and supply chain attacks that the threat actors used to harvest politically motivated intelligence like personal information on minority groups. The security researchers said that this stolen information could be exploited for surveillance activities targeting specific individuals or groups.

Sea Turtle (aka Marbled Dust, Silicon, Cosmic Wolf, UNC1326, and Teal Kurma) was first discovered in April 2019 performing state-sponsored attacks targeting private and public sectors in North Africa and the Middle East. However, it is believed that the group has been active since as far as January 2017 when it mainly used DNS hijacking to redirect targeted users trying to query a specific domain to an actor-controlled server that could steal their credentials.

In late 2021, Microsoft revealed that the espionage group collects intelligence to support Turkish strategic interests from nations like Cyprus, Iraq, Armenia, Greece, and Syria. Their targets are the IT and telecom companies to establish a foothold upstream by exploiting known vulnerabilities. Just last month, the group was discovered to be using a simple reverse TCP shell “SnappyTCP” for Linux and Unix systems in attacks that were performed during 2021 and 2023.

The reverse TCP shell features basic command-and-control (C2) capabilities and is very likely used for establishing persistence in the targeted system. There are at least two main variants, one uses OpenSSL to establish a secure connection over TLS, and the other omits this ability and sends requests in cleartext. The latest discoveries show that Sea Turtle continues to be a stealthy advanced persistent threat group that focuses on evading detection and harvesting email archives to carry out espionage activities.

In one of the 2023 attacks, a compromised yet legitimate cPanel account was observed to be used as an initial access vector to propagate SnappyTCP into the device. It is unknown how the threat actors obtained the credentials. SnappyTCP is used to send commands to the infected system and create a copy of an email archive with the tool tar. It seems likely that the cybercriminals exfiltrated the email archive by downloading the file directly from the web directory.

It is highly advised that organizations enforce strong password policies, rate limit login attempts to reduce the risk of brute-force attempts, implement multi-factor authentication (MFA), keep all systems and software up-to-date, and monitor SSH traffic.

Impact

• Cyber Espionage
• Sensitive Information Theft

Indicators Of Compromise

Domain Name

• lo0.systemctl.network
• systemctl.network

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your antivirus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zerodays.
• Enable antivirus and antimalware software and update signature definitions on time. Using multilayered protection is necessary to secure vulnerable assets.
• Enforce strong password policies across the organization. Encourage the use of complex passwords and enable multifactor authentication (MFA) wherever possible to add an extra layer of security.
• Deploy reliable endpoint protection solutions that include antivirus, antimalware, and host-based intrusion prevention systems (HIPS) to detect and block malicious activities.
• Utilize web filtering and content inspection tools to block access to malicious websites and prevent users from downloading malicious files.
• Deploy IDPS solutions to detect and block suspicious network traffic and intrusions. 
• Conduct regular vulnerability assessments and penetration testing to identify weaknesses in the network infrastructure and address them before they are exploited by attackers.
• Continuously monitor network traffic and security logs for any signs of suspicious activities. Stay updated on the latest threat intelligence to understand the tactics, techniques, and procedures (TTPs) employed by the threat actors.