Turkish ‘Sea Turtle’ hackers target Dutch companies in espionage campaign

Siva Ramakrishnan
Turkish state-sponsored hackers have been observed targeting telecom, media, and tech companies in the Netherlands in an espionage campaign, according to a recent report.

Turkish state-sponsored hackers have been observed targeting telecom, media, and tech companies in the Netherlands in an espionage campaign, according to a recent report.

The campaign was launched by the threat actor known as Sea Turtle, which operates in alignment with Turkish interests, researchers at Dutch cybersecurity firm Hunt & Hackett said.

The group’s multiple campaigns detected in the Netherlands over the past year focused on telecommunications, media, internet service providers, tech companies and Kurdish websites.

The hackers’ goal was to collect politically motivated information, such as personal details on minority groups and potential political dissents, researchers said. In at least one of the observed cases, the threat actor also collected an email archive with potentially sensitive data.

The report didn’t identify the group’s victims in the Netherlands but said that their infrastructure was susceptible to supply chain and island-hopping attacks, where hackers compromise a target organization’s network and then use it as a launching pad to attack other organizations.

Researchers said that this strategy appears to be consistent with claims from U.S. officials in 2020 about hacker groups acting in Turkey’s interest, based on the identities and locations of the victims — including governments that are geopolitically significant to Turkey.

At that time, the Turkey-backed hackers were mostly known for their attacks on the Greek and Cypriot governments’ email services, as well as against Iraq’s national security advisor.

Sea Turtle, also tracked as Silicon and Cosmic Wolf, has operated mostly under the radar since around 2017. Its targets are primarily located in Europe, the Middle East and North Africa and include governmental bodies, Kurdish political groups, NGOs, telecommunication entities, tech companies, as well as media and entertainment organizations

The group is considered “moderate in sophistication,” researchers said. The hackers primarily focus on using public vulnerabilities to get initial access to the organizations.

In a previous report, researchers at PwC said that the threat actor has used code from a publicly accessible GitHub account, which is likely controlled by them.

During one of the campaigns last year, the hackers used malware dubbed SnappyTCP, which exploits vulnerabilities in Linux or Unix systems to gain a foothold on the targeted system, steal data or install additional malware. To stay undetected, the group executed defense evasion techniques, researchers said.

BriefsNation-state
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Ransomware gang takes credit for Christmas attack on global Lutheran organization

Next Post

Myanmar rebels take control of ‘pig butchering’ scam city amid Chinese pressure on junta

Related Posts

Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities

Apple has released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation in the wild. The flaws are listed below - CVE-2024-44308 - A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content CVE-2024-44309 - A cookie management vulnerability in
Avatar
Read More