Introduction
Sea Turtle is a TΓΌrkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection. Talos Sea Turtle 2019 Talos Sea Turtle 2019_2 PWC Sea Turtle 2023 Hunt Sea Turtle 2024
Activities and Tactics
Country of Origin: πΉπ· Turkey
First Seen: 2019
Last Activity: 2019
Suspected Victims: Germany
Notable Campaigns
- Sea Turtle
Tactics, Techniques, and Procedures (TTPs)
- T1583 Acquire Infrastructure
- T1074.002 Remote Data Staging
- T1114.001 Local Email Collection
- T1583.002 DNS Server
- T1608.003 Install Digital Certificate
- T1690 Prevent Command History Logging
- T1584.002 DNS Server
- T1583.003 Virtual Private Server
- T1588.004 Digital Certificates
- T1560.001 Archive via Utility
- T1564.011 Ignore Process Interrupts
- T1588.002 Tool
- T1190 Exploit Public-Facing Application
- T1078.003 Local Accounts
- T1203 Exploitation for Client Execution
- T1566 Phishing
- T1133 External Remote Services
- T1213.006 Databases
- T1583.001 Domains
- T1027.004 Compile After Delivery
- T1685.006 Clear Linux or Mac System Logs
- T1059.004 Unix Shell
- T1505.003 Web Shell
- T1078 Valid Accounts
- T1071.001 Web Protocols
- T1199 Trusted Relationship
- T1557 Adversary-in-the-Middle
ATT&CK technique IDs (denormalized)
- T1027.004
- T1059.004
- T1071.001
- T1074.002
- T1078
- T1078.003
- T1114.001
- T1133
- T1190
- T1199
- T1203
- T1213.006
- T1505.003
- T1557
- T1560.001
- T1564.011
- T1566
- T1583
- T1583.001
- T1583.002
- T1583.003
- T1584.002
- T1588.002
- T1588.004
- T1608.003
- T1685.006
- T1690
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- DNS hijacking:
- CVE-2009-1151:
- CVE-2014-6271:
- CVE-2017-3881:
- CVE-2017-6736:
- CVE-2017-12617:
- CVE-2018-0296:
- CVE-2018-7600:
- Drupalgeddon:
MITRE ATT&CK Software
Attribution and Evidence
Country of Origin: Turkey Additional attribution information pending cataloguing.
References
[1] mitre-attack [6] Talos Sea Turtle 2019 Cisco Talos. (2019, April 17). Sea Turtle: DNS Hijacking Abuses Trust In Core Internet Service. Retrieved November 20, 2024. [7] Hunt Sea Turtle 2024 Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024. [8] Microsoft Digital Defense 2021 Microsoft. (2021, October). Microsoft Digital Defense Report. Retrieved November 20, 2024. [9] Talos Sea Turtle 2019_2 Paul Rascagneres. (2019, July 9). Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques. Retrieved November 20, 2024. [10] PWC Sea Turtle 2023 PwC Threat Intelligence. (2023, December 5). The Tortoise and The Malware. Retrieved November 20, 2024.