New Player Has Entered the Game: Turkish APT Sea Turtle

Among the most notable APT groups recently has been the Sea Turtle group, alternatively referred to as Teal Kurma, Silicon, UNC1326, and Cosmic Wolf. The group is outstanding within the cybersecurity fraternity for advanced and customized cyber-espionage operations.

Ensar Seker
11 min readJan 13, 2024

Historical Background

The Sea Turtle Group’s historical background is a kaleidoscope of cutting-edge cyber-espionage endeavors, primarily distinguished by its creative use of compromise elements. This period from 2018 to 2020 witnessed the group’s emergence, which has a definite orientation towards governmental targets in specific geopolitical areas in cyber espionage and lays its cornerstones as a strong contender.

Emergence and Initial Operations (2018–2020)

It was in 2018 that the name Sea Turtle first hit the headlines as a cyberespionage actor. Competence at the little-used cyber-espionage tool of DNS hijacking marked it out for attention when it forced its way to center stage. DNS hijacking is different because it does not directly use phishing or attacking of the networks. On the other hand, DNS hijacking uses the compromise of the Domain Name System (DNS). Then, it lures the users into visiting the wrong websites without their knowledge instead of visiting the real ones. This enables the attackers to silently intercept and manipulate web and email traffic against the targets’ intentions.

Source: https://www.huntandhackett.com/blog/turkish-espionage-campaigns

Calculated Move — Strategic Retreat

The phase seemingly represented a disbandment or an activity slowdown for the Sea Turtle group after 2020 but was actually neither, as the data and analysis of the actors’ attacks demonstrate. Instead, the seemingly reduced activity could be interpreted as a step back that resulted in a meaningful change in attack tactics and goals. This shows them to be an adaptable threat actor amid an evolving cybersecurity landscape.

Post-2020, the reduction in DNS hijack activity of the group Sea Turtle made people guess whether they had gone blooms-bury. Such a retreat in cybersecurity, where threat actors are usually very adaptive to avoid detection and countermeasures, could mean re-strategizing, re-tooling, or moving on to other targets. This was a calculated move period in which they re-evaluated and fine-tuned their approach towards heightened awareness and defenses on DNS hijacking for Sea Turtle.

Source: https://www.huntandhackett.com/blog/turkish-espionage-campaigns

Evolution in Tactics

The Sea Turtle set was not sitting still through this retreat. Actually, they were actively retooling and tweaking their operational tactics. Shifting now from the more detectable DNS hijacking approach to classic espionage moves. This evolution is hallmarking a deeper comprehension of cyber-operations and adapting to stealthier and more sustainable means of intrusion and harvesting of information.

The Transition towards Classic Espionage

However, infiltration was probably taking place more surreptitiously with the group’s change of approach to classic espionage tactics. Most definitely, this may have included advanced phishing maneuvers, software chinks that would be exploited, and zero-day attacks, among other advanced maneuvers. These would keep them under the radar while still meeting their data exfiltration and surveillance objectives.

Refined Target Selection

Alongside tactical evolution, there was also a noticeable shift in the group’s target selection. While their initial focus was on government entities in specific regions, their evolved approach broadened their target spectrum, potentially including a wider range of sectors and geographies. This shift indicates a possible expansion of their objectives or alignment with broader intelligence-gathering goals.

Enhanced Technical Sophistication

The evolution of Sea Turtle also involved an enhancement in their technical sophistication. The reported use of SnappyTCP, a reverse shell backdoor, and the creation of decoy websites are testaments to their advanced capabilities. SnappyTCP, targeting Linux and Unix systems, focused on penetrating more robust and secure environments, while the decoy websites demonstrated a nuanced application of social engineering and misinformation.

Source: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html

Shift in Focus: From DNS Hijacking to Classic Espionage Tactics

A closer look into the evolution from DNS hijacking to classical espionage tactics in the Sea Turtle group is a clarion call for huge strides in their operational focus and methodology. A very adaptable and sophisticated group is keeping pace with the cybersecurity landscape.

The Sea Turtle group was first thrust into the limelight through a series of DNS hijacking campaigns, an unusually sophisticated form of cyberattack. This is an attack in which the Domain Name System is tampered with to divert online traffic intended for legitimate sites to imitate websites run by the attackers. This approach enabled such malicious individuals to secretly intercept targeted entities’ communications, credentials, and sensitive information, which mainly constituted governments in most geopolitical regions.

Reasons for the Shift

  1. Enhanced Detection and Defense: As DNS hijacking became more recognized and countermeasures improved, continuing these operations with the same level of success became challenging. Organizations began implementing stronger security protocols and defenses, specifically against DNS manipulation.
  2. Sustainability and Stealth: Classic espionage tactics are generally more sustainable and less conspicuous than DNS hijacking. By adopting these methods, the Sea Turtle group could maintain a lower profile, reducing the likelihood of detection and enabling long-term operations within target networks.
  3. Expanding Operational Goals: The shift also suggests expanding the group’s operational goals. Classic espionage offers broader opportunities for data collection, surveillance, and potentially more direct interference with the target’s operations.

New Tactics and Techniques

The group’s strategic cyberespionage tactics, which included using hacked cPanel accounts for initial breaches and later pivoting via SSH, are evidence of these. The techniques enable the group to gain a footing not only from the initial but also tap more into deeper network infiltration and access to data. Awareness of such methods is imperative, as organizations need to develop stronger security measures, emphasizing the need for alert monitoring, continuous updating, strong password policies, and educating employees about such major threats to prevent them.

In their evolved form, the Sea Turtle group employed several classic espionage techniques:

  • Targeted Phishing Attacks: Crafting convincing phishing emails to trick individuals in targeted organizations into divulging credentials or installing malware.
  • Exploiting Vulnerabilities: Identifying and exploiting weaknesses in software used by target organizations, which could include zero-day vulnerabilities not yet known to the public or the software vendors.
  • SnappyTCP and Other Tools: Using sophisticated tools like SnappyTCP, a reverse shell backdoor, highlights their advanced technical capability to gain and maintain access to target systems.

A. Initial Breach Techniques of the Sea Turtle Group

The group Sea Turtle uses cyberespionage tactics to demonstrate its evolution and taste in its initial breach. Two techniques that have stood out are compromising cPanel accounts and pivoting through Secure Shell (SSH). Learning these techniques gives an overview of what the group is capable of and provides some lessons regarding defense in cybersecurity.

  1. Facilitated cPanel Accounts

The How:

  • Exploited Vulnerabilities: Some of the vulnerabilities the Sea Turtle group had exploited were probably embedded within the cPanel software. These vulnerabilities may have covered a large range, including previous software versions for which known exploits had not been patched to unknown zero-day vulnerabilities.
  • Phishing Campaigns: Phishing campaigns targeted at cPanel users are another viable option. By convincing the administrators to provide their login credentials, attackers will take over control of the cPanel.
  • Brute Force Attacks: The group may also have carried out brute force attacks on cPanel accounts with weak security, trying various combinations of passwords to gain unauthorized access.

The Why:

  • Centralized Control: cPanel is a widely popular web hosting control panel that helps manage websites and hosting accounts.Accessing cPanel accounts will give centralized control of the hosted websites and related services.
  • Gateway to Further Exploitation: Once the attackers control any cPanel account, they can quickly manipulate web content and other controls, including email services and databases, which can be a perfect starting point for further malicious activities.
  • Stealth and Efficacy: Compromising cPanel might be more stealthy than an immediate website takedown, allowing entrance that can last longer before detection and supporting data exfiltration.

2. Pivoting via SSH

Pivoting Explained

Pivoting is the act of using an initially breached system to gain further access to the target network. It is a way to move inside a network, access other systems, and escalate privileges.

Methodology

  • Initial Access via Compromised cPanel Accounts: After the Sea Turtle group acquires a cPanel account, they will start operating SSH access on the account. The group could add its SSH keys to the server or take advantage of an already existing SSH configuration on the machine.
  • The Use of SSH for Lateral Movement: Secure Shell, or SSH, is a cryptographic network protocol for secure data communication, remote command-line login, and other secure network services. While using SSH, the attackers could move laterally within the network securely and silently.
  • Escalating Privileges: Pivoting altogether is utilized for escalating privileges ultimately. If an attacker has SSH access, it will allow him to execute commands, deploy tools, or exploit extra vulnerabilities within the network to gain higher-privileged access. Maintaining Persistence: SSH can be used to persist within a network in such a way that it gives continued access for further operations or even data exfiltration.

Using SSH for Pivoting:

  • Secure and Covert: Because SSH, by default, secures the channel with encryption, it will be less likely to raise an alarm.
  • Ubiquity and Trust: SSH is so pervasive in the workings of many organizations that its traffic is less suspicious and more often enjoys intrinsic trust within network environments.
  • Flexibility and Power: SSH can execute a large set of commands and access resources, which makes it a powerful tool.
Source: https://blog.strikeready.com/blog/pivoting-through-a-sea-of-indicators-to-spot-turtles/

B. SnappyTCP Backdoor

The Sea Turtle group’s use of the SnappyTCP backdoor represents a significant aspect of their evolved cyber-espionage toolkit. This section explores the mechanism of action of the SnappyTCP backdoor and examines its impact on affected organizations through hypothetical case studies.

Source: https://malpedia.caad.fkie.fraunhofer.de/details/elf.snappy_tcp

SnappyTCP is a reverse shell backdoor targeting Linux and Unix systems, which the Sea Turtle has used in recent operations. Some specific technical aspects of SnappyTCP include:

  • Payloads and Commands: SnappyTCP has been observed delivering various payloads and commands, including collecting email archives and potentially exploiting the stolen information for surveillance or intelligence gathering on specific individuals or groups.
  • Communication Protocol: SnappyTCP uses TCP/IP for communication, allowing it to connect with other systems over a network.
  • Features: SnappyTCP provides a persistent backdoor on compromised systems, enabling attackers to maintain access and collect data from the victim’s environment. It can also be used for data exfiltration directly to the command-and-control (C2) server using TCP or HTTP connections.
  1. Fundamentals of SnappyTCP:
  • Reverse Shell Backdoor: SnappyTCP is a type of reverse shell backdoor primarily targeting Linux and Unix systems. A reverse shell is a method attackers use to establish a command-line session with a victim’s machine. Once active, it connects back to the attacker’s system, allowing them to remotely control the compromised machine.
  • Stealth and Evasion: SnappyTCP is designed to operate stealthily, evading standard detection mechanisms. It likely uses encryption and mimics legitimate network traffic to blend in, making its detection challenging for traditional security tools.

2. Persistent Access:

  • Maintaining a Foothold: One of the key features of SnappyTCP is its ability to maintain persistent access to a compromised system. Establishing automated systems that guarantee the backdoor is active and accessible even after system reboots or network changes typically achieves this.
  • Remote Control: With persistent access, attackers can remotely execute commands, deploy additional malware, or manipulate system configurations as needed.

3. Data Collection:

  • Information Exfiltration: SnappyTCP allows the Sea Turtle group to exfiltrate sensitive data from the targeted systems. This can include confidential documents, emails, credentials, and more.
  • Surveillance: The backdoor also facilitates ongoing surveillance activities, enabling the attackers to continuously monitor the victim’s actions, network traffic, and communications.

The SnappyTCP backdoor is a potent tool in the Sea Turtle group’s arsenal, enabling them to conduct persistent, stealthy surveillance and data exfiltration. The impact of such a tool on affected organizations can be profound, ranging from the loss of sensitive information and intellectual property to the potential manipulation of critical public functions and services. These case studies underscore the need for robust security measures, including advanced threat detection systems, regular security audits, and employee training, to defend against such sophisticated threats.

Source: https://cybersecuritynews.com/snappytcp-reverse-shell/#google_vignette

C. Windows Malware Artifacts

The Sea Turtle group’s use of Windows malware artifacts, cleverly disguised as software updates, represents a strategic and deceptive method of infiltrating target systems.

  1. Strategy of Disguise:
  • Mimicking Legitimacy: The Sea Turtle group disguised their malware as routine software updates, exploiting users’ trust in update mechanisms. This strategy significantly increases the likelihood that unwary victims will willingly execute the malware.
  • Exploiting Routine Processes: Software updates are a regular part of organizational and individual computer maintenance.By camouflaging malware within these updates, the group ensured their malicious payloads could infiltrate systems under the guise of legitimate operations.

2. Execution Method:

  • Phishing or Compromised Websites: The disguised malware could be distributed through phishing emails that direct users to compromised or fake websites where the fake updates are hosted.
  • Automatic Update Mechanisms: In more complex scenarios, the group could compromise actual update distribution mechanisms to ensure that the target system automatically downloads and installs the malware.

3. Capabilities of the Malware:

  • Data Exfiltration: One primary capability is likely to extract sensitive data from the infected systems, including documents, credentials, and communication records.
  • Remote Control and Surveillance: The malware could allow attackers to remotely control infected systems, monitor user activities, and intercept communications.
  • Lateral Movement and Escalation: It might also facilitate lateral movement within a network, allowing attackers to spread the infection to other systems and potentially escalate their privileges for broader access.

4. Impact on Affected Organizations:

  • Compromise of Sensitive Information: The most direct impact is the potential compromise of sensitive organizational information, which can have severe consequences depending on the nature of the data.
  • Operational Disruption: Malware infections can lead to operational disruptions, system downtime, and, in severe cases, a complete halt of business activities.
  • Financial Losses: The costs associated with responding to and recovering from a malware attack can be substantial, including remediation efforts, loss of business, legal fees, and potential fines.
  • Reputational Damage: An organization’s reputation can suffer significantly if it becomes known to be compromised, particularly if customer data is affected.
  • Long-Term Security Implications: The presence of such malware can have long-term security implications, as it may indicate broader vulnerabilities within the organization’s network.
Source: https://blog.strikeready.com/blog/pivoting-through-a-sea-of-indicators-to-spot-turtles/

The Sea Turtle group’s use of Windows malware artifacts disguised as software updates is a testament to their cunning and strategic thinking. This infiltration method increases the chances of successful deployment and highlights the need for organizations to maintain a high level of vigilance, even with routine processes like software updates. Such malware’s potential capabilities and impacts demand a robust cybersecurity posture, encompassing regular system audits, employee education on cyber threats, and implementing advanced malware detection and prevention technologies.

--

--

Ensar Seker

Cybersecurity | Artificial Intelligence | Blockchain