Sea Turtle APT Group
In this article, we will analyse an APT group that has attracted a lot of attention and has recently attracted attention for its activities: “Sea Turtle“.
Sea Turtle is known as a cyber espionage group of Turkish origin. An analysis will be made on their motivations, attack methods and potential effects. In addition, measures and defence strategies that can be taken against such threats will be discussed in order to contribute to the security knowledge base of infrastructures.
The threat group is also known under the names “Sea Turtle“, “Teal Kurma“, “Marbled Dust“, “SILICON” and “Cosmic Wolf“. They are estimated to be based in Turkey. It is known that they have been performing since 2017. At first, they started to make a name for themselves with DNS hijacking. In 2021, their activities in line with the Turkish strategic interests perspective have been identified by Microsoft under the SILICON designation. Although there is limited information about them based on limited sources, the activity flows of the group have been revealed by many organisations.
Their main motivation was seen to be targeting some organisations in Europe and the Middle East. It is known that terrorist organisations that pose a threat to Turkey (e.g. PKK), ISPs, IT service providers, Media and Entertainment organisations, telecommunication organisations are exposed to the activities.
The main activities carried out to these organisations can be defined as redirecting traffic to the websites of the relevant places and providing unauthorised access to some governments and organisational infrastructures. The previously mentioned attack target profiles were effective in the activities to identify the threat actor. The use of reverse shell for continuity in their activities caused the amount of data obtained to increase rapidly and enrich the variety of new targeting.
Some Techniques and Details of the Threat Group
1. Process that Starting with cPanel Access Violations
Discovered in early 2023. It targeted a web hosting platform used by organisations worldwide. When evaluated in a wide range, different orientations may have enabled this breach. Unauthorised access may have been enabled by exploiting 0-Days not reflected in security updates.
It was detected that a legitimate and authorised user was logged on to the platform through the IP range of an identified VPN provider. An SSH session was also opened over the same IP address. Subsequently, a WebMail session was also created using this account. Some time after the start of the operation, it was detected that another connection was accepted via the cPanel Web Disk feature. With this detection, we can see that the actor persistently utilised cPanel features during the operation.
Shortly after the related detections, it was observed that an Adminer tool was installed in the public directory of one of the cPanel accounts obtained for the purpose of MySQL management. It was determined that the same “Adminer” tool was also stored in the public Github repo, which was suspected to belong to the group hosting the SnappyTCP source code, which will be discussed shortly. A new cPanel account breach was detected a few weeks after the detected cPanel Web Disk connection, when a new cPanel account was logged into cPanel. In the same way, it was seen that a WebMail session was opened afterwards.
2. Activities over Secure Protocols to Avoid Tracking
We mentioned that SSH sessions are opened with the breached authorised users. If we talk about the most important advantages of this in the activity:
- Providing a secure protocol infrastructure for Lateral Movement actions. It provides a secure protocol support for data communication after login. With the authorisation obtained, it allows silent lateral movement on the network.
- It has been used for facilities such as persistence in the network by enabling authorisation upgrades. The channels used through SSH played an important role in data leakage activities in operations.
- Activities could be diversified simultaneously by creating authorised SSH keys or using existing ones.
Following the accesses achieved by this APT group via cPanel, it was determined that they provided their first access in the IT environment via the relevant SSHs.
3. Activities through Backdoor Communication Channels
- Backdoor activities were performed with SnappyTCP tool. It started by downloading the source code of this tool from the server with the address “193.34.167[.]245”. With the execution of the tool, an HTTP request is initiated with a URI containing “sy.php”. Backdoor activity is initiated with a verification mechanism through the request.
- “X-Auth-43245-S-20” is expected in the header in the packet returned after the HTTP GET request. In addition, the packet size and the first character “@” are checked. Reverse shell access is provided with the IP/Port information returned from the server. If this process fails, the procedure is repeated after some sleep.
- It is thought that the command and control (C&C) environment is configured in “socat” format. The command configuration in the traffic is characteristic of socat and is hosted on the same server (“.245/c00n/socat”). It was observed that requests made to the servers of the Sea Turtle group with “hxxp[//]193.34.167[.]245/c00n/socat” were mostly answered as “@8.8.8[.]8:443”.
Identification for Sea Turtle
| Associations | Teal Kurma, Marbled Dust, SILICON, Cosmic Wolf |
| Targets | Goverments, Terrorist Groups, Telecommunication, IT Providers, ISPs, Media & Entertainment Organisations, NGOs |
| Geo Locations | Europe, Middle East, North Africa |
| Actions | MiTM to harvest credentials for initial accessing, Valid encryption certificate theft, Redirecting legal website user traffic |
| Information Gathering | Reverse shell was utilized to obtain and export sensitive data. |
| Motivation | Activities are believed to have been conducted in government and media outlets for the purpose of gathering political and economic intelligence. |
TTPs
| Tactic | Technique | Findings |
| Resource development | T1588.001 | Sea Turtle used the SnappyTCP malware, the source of which is available on GitHub. |
| Initial access | T1133 T1078.004 | Sea Turtle compromised cPanel accounts and used SSH to gain access to the IT infrastructure. |
| Execution | T1059.004 | Sea Turtle used the Bash Unix shell to execute malicious commands and the SnappyTCP malware. |
| Persistence | T1505.003 | Sea Turtle executed SnappyTCP using the tool NoHup, which keeps the malware running on a system after exiting the shell or terminal, and installed Adminer in the public web directory of a cPanel account. |
| Defense Evasion | T1070.003 T1070.002 | Sea Turtle has reset the command (bash) and MySQL history file and overwritten Linux system logs. |
| Collection | T1114.001 | Sea Turtle created a copy of the email archive of a compromised cPanel account in the public web directory of a website accessible from the internet. |
| Command and Control | T1071.001 T1095 | Sea Turtle configured SnappyTCP to establish a command and control channel to the domain name forward.boord[.]info on port 443 using TCP and HTTP protocols. |
| Exfiltration | T1567 | Sea Turtle created a copy of the email archive of a compromised cPanel account in the public web directory of a website accessible from the Internet. It is highly likely that Sea Turtle exfiltrated the email archive by downloading the file from the website. |
Indicators of Compromises
| IoC | Type |
| aea947f06ac36c07ae37884abc5b6659d91d52aa99fd7d26bd0e233fd0fe7ad4 | SHA-256 |
| ae89540cdfb11b0c9ebda8cfdf8f5e27ba8b729c46abc395a0e1e8bb99b00c54 | SHA-256 |
| fb02a6ca9d4f80ba9832ca22eec4d58233929ad952805030fd9da276714dabca | SHA-256 |
| d0a7d18e283f80d456ab57fe4d986ef1f020f9c3293ae640b7d8976a694c1757 | SHA-256 |
| 984f3e8af0c59cfa918319e3b813d75be4277a9765201bd14a9be9ee6b008d34 | SHA-256 |
| 86b13a1058dd7f41742dfb192252ac9449724c5c0a675c031602bd9f36dd49b5 | SHA-256 |
| 77a2466a89ed1d83c700d313395c4d10345d6d7f3e1fd294c6eb111b218422a3 | SHA-256 |
| 6b8a6c28f7a8df5e226ce853230bb667316e2eae136e64edd6e44f5648683f11 | SHA-256 |
| 67647f0226e29ada304e476d4e9d35b4ac916c584b1768eb5127bd0df1818707 | SHA-256 |
| 6650c6971d6e7927efad09b215426a442c6342dd22f073972021d8e81a3ba124 | SHA-256 |
| 47c4e2c71e5caa2e0aeb3ed7a3f0d2c482c6acc19e82bac5d7821aa6ef9e735a | SHA-256 |
| 405b2c867408f4dc6583109cbc21bac0e78f2f0e6c45013d1c9811a6f0b99a81 | SHA-256 |
| 3c9e4ba1278b751c24f03ba39cb317b1bc51d2dc5173b0a0b201bc62fdc2c6fd | SHA-256 |
| 1695a1adb142d4da4830654c72796fc33d1e8ab9af03de85b7d6ef3e959985ab | SHA-256 |
| 15528410418d246a085044c67f431397d159d64003f13145b68287e7a68e805a | SHA-256 |
| 29f82ca8b268b1b74e22e05ef85e64cf7cf96751e494a07fe8ef96046e39dc26 | SHA-256 |
| 293703318fab4ad56124d37e6c93d1aecbce4c656782c40fce5d67f3b4149558 | SHA-256 |
| 276b1cecbd4ab24bbd47c23558143bdf905440c7045a7ff46a49d80b341c2cd5 | SHA-256 |
| 30eb5c522a29a1aad4c55cccadcbfd335beed648904f13b25379f23536404803 | SHA-256 |
| 1ac0b2e91ba3d33ed6b8cd90f5c1f63454bfdf7aad7dbf4f239445f31dfc6eb5 | SHA-256 |
| ddcc23f81362bb394e0ee66fda549a1523860b3b | SHA1 |
| da64b83c2998212bbf77862e17d3564a0745f222 | SHA1 |
| d4ca42e06e5803a5c3bf35c52c0a7b9408356ac3 | SHA1 |
| c8d8a7bfe27be6087685495726593d7f6168e94c | SHA1 |
| c418180c7233233364bb223a2ba621b167bfb503 | SHA1 |
| c17928c00a9dad1a6455eaa490355dd311f6d88f | SHA1 |
| bce355f628fcd7aec82a2f33e8af3bd87b6a33d8 | SHA1 |
| ae78ba9e5dad29ac910996a0c5d34684cedfe3f7 | SHA1 |
| 9c3f19a8a0824fc9745b5b8dd86f660a1e186d52 | SHA1 |
| 922bab717a9b21dc3510ba96e0c3e4a93296e934 | SHA1 |
| 87f4775c29b47617c0fefa984bb342a79c0ba02d | SHA1 |
| 700d2c7e00df8249e61ccda1fcf6f1f235dc6d23 | SHA1 |
| 826fe3ed0a75f5c7f093451e11588d07ff90ac81 | SHA1 |
| 7f8ed51d632738e3523a94ba5f94b997e922e9fe | SHA1 |
| 450431fd6561ea4cbb853762163f7a1544d562b8 | SHA1 |
| 3a5fe689d7f0ee374b1ef0b9227aecae56925e84 | SHA1 |
| 6557106402d71958aac007940a6cdd934e0b2336 | SHA1 |
| 6487e320b6294669604a61866b29ce78c3f34e69 | SHA1 |
| 600a3f64a619db97457231b2e654d5b4a794d2f8 | SHA1 |
| f1a4abd70f8e56711863f9e7ed0a4a865267ec7 | SHA1 |
| 514e02418468dfcad702b0e0be22fb8f9a5366bc | SHA1 |
| d036adb864e46ad88dd2c1dbca62137a | MD5 |
| c7e99654250bf4e3286c3ea7547a62fe | MD5 |
| 9ac96799b2b7a376c7a7fc3c76322556 | MD5 |
| 9a56d56aa24ccc75ef5709747ec5ca8b | MD5 |
| bb7cd2dc1dd3bcd6932a6e75a1c95afe | MD5 |
| f17985bdc165388476dd228eb927d632 | MD5 |
| e69541dd97e4d4abfa33d5d4907412c6 | MD5 |
| e3e4b90f9ebe829ab323e68139becf0c | MD5 |
| d2a8ec0f0c4f2f015830788cec54c67f | MD5 |
| 4b8ac8f2d517cd9836a2578cae47fe8d | MD5 |
| 6f20fdd1fd6c133ef575bd36437578cf | MD5 |
| 2352627014f80918dde97aad963c5cf2 | MD5 |
| 2a684c83401ec4706f81bf4a3503e096 | MD5 |
| 19021c37d8adda5fa509dd242629cd50 | MD5 |
| 122b56b4474f93d496dee79d939c58f4 | MD5 |
| 102d8524f21d1b6b0380c817a435e9a7 | MD5 |
| 8e08c7c440bf9f5380dd614238fa2d38 | MD5 |
| 80aa20453ca295467bff3f8708a06280 | MD5 |
| 7d0d50de5aa34f7a0e8cffe06f50a5fb | MD5 |
| 8640f22e5a859ea2216d0e9dacef4f50 | MD5 |
| 185.158.248[.]8 | ip |
| 108.61.103[.]186 | ip |
| 87.120.254[.]120 | ip |
| 206.166.251[.]163 | ip |
| 88.119.171[.]248 | ip |
| 31.13.195[.]52 | ip |
| 168.100.8[.]245 | ip |
| 31.214.157[.]230 | ip |
| 168.100.9[.]203 | ip |
| 45.80.148[.]172 | ip |
| eth0[.]secrsys[.]net | domain |
| 168.100.10[.]187 | ip |
| hxxp://108.61.103[.]186/sy.php | url |
| 93.115.22[.]212 | ip |
| 199.247.29[.]25 | ip |
| hxxp://lo0[.]systemctl[.]network/sy.php | url |
| 95.179.176[.]250 | ip |
| al-marsad[.]co | domain |
| alhurra[.]online | domain |
| lo0[.]systemctl[.]network | domain |
| 146.190.28[.]83 | ip |
| anfturkce[.]news | domain |
| nmcbcd[.]live | domain |
| aws[.]systemctl[.]network | domain |
| querryfiles[.].com | domain |
| systemctl[.]network | domain |
| dhcp[.]systemctl[.]network | domain |
| ud[.]ybcd[.]tech | domain |
| upt[.]mcsoft[.]org | domain |
| ybcd[.]tech | domain |
| exp-al-marsad[.]co | domain |
| 93.123.12[.]151 | ip |
