Hunt & Huckett reports a recent Sea Turtle-attributed campaign targeting telecommunication, media, internet service providers and information technology companies in the Netherlands.
Sea Turtle is an advanced persistent threat actor engaged in espionage, which has been historically linked to the Turkish government mainly based on victimology. The actor has historically targeted government, organizations and businesses in apparent alignment with Turkey's strategic interests. Victims include entities and websites associated with the Kurdistan Workers' Party (PKK).
Sea Turtle espionage campaigns have historically targeted Europe, North Africa and the Middle East. The recent focus on the Netherlands may be the result of the growing tensions between NATO and Turkey in relation to the ongoing conflict in the Middle East.
Initial access was performed via compromising cPanel accounts. The actor performed login onto such accounts via SSH. Based on this, it is reasonable to hypothesize the actor may have exploited weak or compromised credentials and / or performed a more sophisticated social engineering campaign to attack specific accounts. However, no conclusive information in connection to the reconnaissance phase. At the same time, it is known that Seat Turtle has historically targeted organizations impacted by vulnerabilities in internet-exposed systems.
Once gained access to the environment, Sea Turtle used bash commands to execute the SnappyTCP malware. The latter was apparently executed with the "nohup" command, enabling to keep the malware running after exiting the terminal. The actor also installed Adminer in the public web directory of one of the compromised cPanel accounts.
SnappyTCP is responsible for initiating connection to the command-and-control server at forward.boord[.]info over port 443 - a NameSilo-registered domain which was created in November 2021, suggesting a long lasting espionage campaign. At that point, Sea Turtle was able to exfiltrate the email archive of the compromised cPanel account.