To obtain access to a variety of clients’ systems and data in a single attack, hackers frequently target IT service providers. 

Their strategy lets them maximize the effect of their efforts by allowing them to compromise several organizations from a single point of entry.

Cybersecurity security researchers at Hunt & Hackett recently discovered that the Turkish espionage APT group Sea Turtle has been actively exploiting the known vulnerabilities to attack IT service providers.

Sea Turtle APT Group

Sea Turtle APT group has been active since 2017 and is known for DNS hijacking; it adapts to evade detection. 

Evading detection, Microsoft exposed SILICON in Oct 2021, aligning with Turkish interests. Not only that, even in 2022, the Greek National CERT shared the IOCs. 

For sensitive data, Sea Turtle targets the following areas:-

• Europe
• Middle East
• North Africa

Here below, we have mentioned all the sectors and entities targeted:-

• Gov’t bodies
• Kurdish groups
• NGOs
• Telecom
• ISPs
• IT
• Media

Successful attacks aid surveillance and intelligence gathering. Sea Turtle intercepts internet traffic using reverse shell for data extraction.

Researchers tracked the Sea Turtle’s campaigns also in the Netherlands and discovered that they are primarily focused on the following two key things for Turkish interests:-

• Economic espionage
• Political espionage

Recent campaigns in the Netherlands target the following:- 

• Telecom
• Media
• ISPs
• Kurdish websites

Sea Turtle employs supply chain attacks to collect politically motivated information. Stolen data is likely used for surveillance or intelligence on specific groups.

In early 2023, Hunt & Hackett identified Sea Turtle’s latest campaigns targeting multiple organizations. In one attack, experts identified that the threat actor compromised a cPanel account and used a VPN for access. 

They created a WebMail session and performed SSH logons from a hosting provider’s IP. Source code files for a ‘C’ programming language reverse shell were downloaded and compiled from a known Sea Turtle GitHub repository. 

The PwC independently linked this to Sea Turtle using the SnappyTCP reverse shell, and here, the SnappyTCP was downloaded from a Sea Turtle server (http[://]193.34.167[.]245/c00n/connn.c). 

The actor established a command-and-control channel, employed anti-forensic measures, and reconnected to the compromised cPanel account.

If specific conditions are met, the SnappyTCP malware does the following things:-

• Reads a config file
• Performs an HTTP GET with ‘sy.php’ request URI
• Spawns a reverse shell

Meanwhile, the C&C channel likely involves Socat, which matches the characteristics found on the server.

Recommendations

Here below, we have mentioned all the recommendations provided by the cybersecurity analysts:-

• Deploy EDR for monitoring network connections, processes, and account activity; store logs centrally.
• Enforce a strong password policy.
• Always use a secrets management system for storage.
• Limit logon attempts.
• Enable 2FA on external accounts.
• Keep software updated to minimize vulnerabilities.
• Restrict SSH access
• Implement SSH logon rate limit.
• Implement egress network filtering to block malicious traffic.