Turkish ‘Sea Turtle’ hackers target Dutch companies in espionage campaign

Turkish state-sponsored hackers have been observed targeting telecom, media, and tech companies in the Netherlands in an espionage campaign, according to a recent report.

The campaign was launched by the threat actor known as Sea Turtle, which operates in alignment with Turkish interests, researchers at Dutch cybersecurity firm Hunt & Hackett said.

The group’s multiple campaigns detected in the Netherlands over the past year focused on telecommunications, media, internet service providers, tech companies and Kurdish websites.

The hackers’ goal was to collect politically motivated information, such as personal details on minority groups and potential political dissents, researchers said. In at least one of the observed cases, the threat actor also collected an email archive with potentially sensitive data.

The report didn’t identify the group’s victims in the Netherlands but said that their infrastructure was susceptible to supply chain and island-hopping attacks, where hackers compromise a target organization's network and then use it as a launching pad to attack other organizations.

Researchers said that this strategy appears to be consistent with claims from U.S. officials in 2020 about hacker groups acting in Turkey’s interest, based on the identities and locations of the victims — including governments that are geopolitically significant to Turkey.

At that time, the Turkey-backed hackers were mostly known for their attacks on the Greek and Cypriot governments’ email services, as well as against Iraq’s national security advisor.

Sea Turtle, also tracked as Silicon and Cosmic Wolf, has operated mostly under the radar since around 2017. Its targets are primarily located in Europe, the Middle East and North Africa and include governmental bodies, Kurdish political groups, NGOs, telecommunication entities, tech companies, as well as media and entertainment organizations

The group is considered “moderate in sophistication,” researchers said. The hackers primarily focus on using public vulnerabilities to get initial access to the organizations.

In a previous report, researchers at PwC said that the threat actor has used code from a publicly accessible GitHub account, which is likely controlled by them.

During one of the campaigns last year, the hackers used malware dubbed SnappyTCP, which exploits vulnerabilities in Linux or Unix systems to gain a foothold on the targeted system, steal data or install additional malware. To stay undetected, the group executed defense evasion techniques, researchers said.