Dutch firms, sites targeted by Sea Turtle cyberespionage campaign
Security Affairs – Pierluigi Paganini
The Sea Turtle cyber espionage group, also known as Teal Kurma, Marbled Dust, SILICON, and Cosmic Wolf, has been observed by Dutch security firm Hunt & Hackett targeting various organizations in the Netherlands, including telcos, media outlets, ISPs, IT service providers, and Kurdish websites.
The threat actors have been active since at least 2017, focusing on Europe and the Middle East.
Initially using DNS hijacking, the group has since employed supply chain and island-hopping attacks to target government entities, Kurdish political groups, telecommunication, ISPs, IT-service providers, NGOs, and media and entertainment sectors.
Their activities have become more sophisticated, as observed in recent attacks where they utilized a reverse TCP shell named SnappyTCP to target Linux/Unix systems.
The group has also leveraged code from a publicly accessible GitHub account and compromised cPanel accounts using SSH to gain initial access to targeted organizations.
They have been observed collecting email archives from victim organizations.
To mitigate exposure to Sea Turtle attacks, the researchers recommend deploying EDR, enforcing a password policy with complexity requirements, storing passwords in a secrets management system, enabling 2FA on exposed accounts, keeping software up to date, reducing the number of internet-accessible systems using SSH, implementing SSH-logon rate-limit, and egress network filtering.
The report also provides Indicators of Compromise (IoCs) to aid in identifying potential compromisation.
Link: https://securityaffairs.com/157021/apt/sea-turtle-targets-dutch-entities.html