Sea Turtle Hackers Spy on Dutch ISPs and Telecommunication Companies

Sea Turtle Turkish state-backed group changed to focus on internet service providers (ISPs), telcos, media, and Kurdish websites.

Sea Turtle exploits known vulnerabilities and compromised accounts to gain initial access. DNS hijacking and traffic redirection that leads to man-in-the-middle attacks are among their cyber espionage techniques.

Their goal is to collect economic and political intelligence for Turkey.

How do the Sea Turtle attacks work

To gain initial access, the threat actors compromise cPanel accounts and use SSH to advance into the system.

The novelty is the group uses “SnappyTCP” for various purposes. The tool is an open-source reverse TCP shell for Linux systems. Its main uses in Sea Turtle`s cyber espionage campaigns are:

• Create a persistent backdoor
• Establish command-and-control (C2) capabilities for remote command execution
• Evasion techniques
• Data Exfiltration – Hackers use SnappyTCP to send data directly to their C2 server using TCP or HTTP connections.

The tool remains active on the system to serve as a persistent backdoor by using the ‘NoHup’ command, preventing its termination even when the threat actors have logged out.

Source – BleepingComputer.com

The researchers also found the Adminer database management tool installed in the public directory of one of the compromised cPanel accounts. This means hackers achieved persistent data access and were able to run SQL commands.

How to keep data safe from Sea Turtle hackers

Like most of the hackers, the Sea Turtle threat group too uses known, unpatched vulnerabilities to breach systems.

Besides setting an effective patch management process in place, you should also:

• Enforce network monitoring and network segmentation
• Use multi-factor authentication for privileged accounts
• Reduce SSH exposure
• Use DNS filtering to cut off any inbound or outbound malicious communication
• Enforce End-to-End encryption to protect sensitive data even if the hackers get access to the database

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Newsletter

If you liked this post, you will enjoy our newsletter.

Get cybersecurity updates you'll actually want to read directly in your inbox.

I agree to have the submitted data processed by Heimdal Security according to the Privacy Policy

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.