G1041 Sea Turtle
Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.1452
| Item | Value |
|---|---|
| ID | G1041 |
| Associated Names | Teal Kurma, Marbled Dust, Cosmic Wolf, SILICON |
| Version | 1.0 |
| Created | 20 November 2024 |
| Last Modified | 28 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| Teal Kurma | 52 |
| Marbled Dust | 52 |
| Cosmic Wolf | 52 |
| SILICON | 32 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | Sea Turtle accessed victim networks from VPN service provider networks.2 |
| enterprise | T1583.001 | Domains | Sea Turtle registered domains for authoritative name servers used in DNS hijacking activity and for command and control servers.42 |
| enterprise | T1583.002 | DNS Server | Sea Turtle built adversary-in-the-middle DNS servers to impersonate legitimate services that were later used to capture credentials.41 |
| enterprise | T1583.003 | Virtual Private Server | Sea Turtle created adversary-in-the-middle servers to impersonate legitimate services and enable credential capture.1 |
| enterprise | T1557 | Adversary-in-the-Middle | Sea Turtle modified DNS records at service providers to redirect traffic from legitimate resources to Sea Turtle-controlled servers to enable adversary-in-the-middle attacks for credential capture.14 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Sea Turtle connected over TCP using HTTP to establish command and control channels.2 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | Sea Turtle used the tar utility to create a local archive of email data on a victim system.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | Sea Turtle used shell scripts for post-exploitation execution in victim environments.52 |
| enterprise | T1584 | Compromise Infrastructure | - |
| enterprise | T1584.002 | DNS Server | Sea Turtle modified Name Server (NS) items to refer to Sea Turtle-controlled DNS servers to provide responses for all DNS lookups.14 |
| enterprise | T1213 | Data from Information Repositories | - |
| enterprise | T1213.006 | Databases | Sea Turtle used the tool Adminer to remotely logon to the MySQL service of victim machines.2 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.002 | Remote Data Staging | Sea Turtle staged collected email archives in the public web directory of a website that was accessible from the internet.2 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.001 | Local Email Collection | Sea Turtle collected email archives from victim environments.2 |
| enterprise | T1190 | Exploit Public-Facing Application | Sea Turtle gained access to victim environments by exploiting multiple known vulnerabilities over several campaigns.15 |
| enterprise | T1203 | Exploitation for Client Execution | Sea Turtle has used exploits for vulnerabilities such as CVE-2021-44228, CVE-2021-21974, and CVE-2022-0847 to achieve client code execution.5 |
| enterprise | T1133 | External Remote Services | Sea Turtle has used external-facing SSH to achieve initial access to the IT environments of victim organizations.2 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.011 | Ignore Process Interrupts | Sea Turtle executed SnappyTCP using the tool NoHup, which keeps the malware running on a system after exiting the shell or terminal.2 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.003 | Impair Command History Logging | Sea Turtle unset the Bash and MySQL history files on victim systems.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.002 | Clear Linux or Mac System Logs | Sea Turtle has overwritten Linux system logs and unsets the Bash history file (effectively removing logging) during intrusions.2 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.004 | Compile After Delivery | Sea Turtle downloaded source code files from remote addresses then compiled them locally via GCC in victim environments.2 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | Sea Turtle has used tools such as Adminer during intrusions.2 |
| enterprise | T1588.004 | Digital Certificates | Sea Turtle created new certificates using a technique called the actors performed “certificate impersonation,” a technique in which Sea Turtle obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization.14 |
| enterprise | T1566 | Phishing | Sea Turtle used spear phishing to gain initial access to victims.1 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | Sea Turtle deployed the SnappyTCP web shell during intrusion operations.52 |
| enterprise | T1608 | Stage Capabilities | - |
| enterprise | T1608.003 | Install Digital Certificate | Sea Turtle captured legitimate SSL certificates from victim organizations and installed these on Sea Turtle-controlled infrastructure to enable subsequent adversary-in-the-middle operations.1 |
| enterprise | T1199 | Trusted Relationship | Sea Turtle targeted third-party entities in trusted relationships with primary targets to ultimately achieve access at primary targets. Entities targeted included DNS registrars, telecommunication companies, and internet service providers.1 |
| enterprise | T1078 | Valid Accounts | Sea Turtle used compromised credentials to maintain long-term access to victim environments.1 |
| enterprise | T1078.003 | Local Accounts | Sea Turtle compromised cPanel accounts in victim environments.2 |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S1163 | SnappyTCP | Sea Turtle used SnappyTCP following initial access in intrusions from 2021 to 2023.5 | Web Protocols:Application Layer Protocol Unix Shell:Command and Scripting Interpreter Asymmetric Cryptography:Encrypted Channel Non-Application Layer Protocol Web Shell:Server Software Component |
References
-
Cisco Talos. (2019, April 17). Sea Turtle: DNS Hijacking Abuses Trust In Core Internet Service. Retrieved November 20, 2024. ↩↩↩↩↩↩↩↩↩↩↩
-
Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Microsoft. (2021, October). Microsoft Digital Defense Report. Retrieved November 20, 2024. ↩
-
Paul Rascagneres. (2019, July 9). Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques. Retrieved November 20, 2024. ↩↩↩↩↩↩
-
PwC Threat Intelligence. (2023, December 5). The Tortoise and The Malware. Retrieved November 20, 2024. ↩↩↩↩↩↩↩↩↩