A group aligned with the interests of the government of Turkey has been turning up its politically motivated cyber espionage lately, targeting Kurdish opposition groups through high-value supply chain targets in Europe, the Middle East, and North Africa.
Following some years out of the limelight, Sea Turtle is now back under scrutiny, most recently thanks to multiple campaigns targeting organizations in the Netherlands, tracked by the research group Hunt & Hackett.
Since 2021, victims of these campaigns have spanned targets in media, telecommunications, internet service providers, and IT service providers, with a specific focus on reaching websites associated with Kurds and the Kurdistan Workers' Party.
Turkey has been in conflict with Kurdish opposition groups, primarily represented by the PKK, for decades.
Tens of thousands of ethnic Kurds live in the Netherlands.
Sea Turtle's Return From Extinction Evidence of Sea Turtle activity dates back to 2017, but the group was only first discovered in 2019.
By that time, it had already compromised more than 40 organizations - including many in government and the military - spread across 13 countries, primarily in the Middle East and Africa.
Each of those cases involved a DNS hijack, manipulating targets' DNS records so as to redirect incoming traffic to their own servers, before sending them on to their intended destinations.
As recent evidence indicates, it never really went away, or even changed that much.
It might not have been overly sophisticated, if the rest of the attack is anything to go by.
One might expect a nation-state-aligned espionage group to be highly evasive.
Sea Turtle did take some basic precautions like overwriting Linux system logs.
On the other hand, it hosted many of its attack tools on a standard, public GitHub account.
In the end the attacks were at least moderately successful.
Not all are aligned with the state, and a couple belong to the Kurdish opposition, but even with that caveat, the country seems to receive proportionately less press than many of its counterparts.
That, the researcher says, is partially due to size.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 08 Jan 2024 21:55:04 +0000