Sea Turtle APT Group Analysis – Cyberthint

Sea Turtle APT Group

In this article, we will analyse an APT group that has attracted a lot of attention and has recently attracted attention for its activities: “Sea Turtle“.

Sea Turtle is known as a cyber espionage group of Turkish origin. An analysis will be made on their motivations, attack methods and potential effects. In addition, measures and defence strategies that can be taken against such threats will be discussed in order to contribute to the security knowledge base of infrastructures.

The threat group is also known under the names “Sea Turtle“, “Teal Kurma“, “Marbled Dust“, “SILICON” and “Cosmic Wolf“. They are estimated to be based in Turkey. It is known that they have been performing since 2017. At first, they started to make a name for themselves with DNS hijacking. In 2021, their activities in line with the Turkish strategic interests perspective have been identified by Microsoft under the SILICON designation. Although there is limited information about them based on limited sources, the activity flows of the group have been revealed by many organisations.

Their main motivation was seen to be targeting some organisations in Europe and the Middle East. It is known that terrorist organisations that pose a threat to Turkey (e.g. PKK), ISPs, IT service providers, Media and Entertainment organisations, telecommunication organisations are exposed to the activities.

The main activities carried out to these organisations can be defined as redirecting traffic to the websites of the relevant places and providing unauthorised access to some governments and organisational infrastructures. The previously mentioned attack target profiles were effective in the activities to identify the threat actor. The use of reverse shell for continuity in their activities caused the amount of data obtained to increase rapidly and enrich the variety of new targeting.

Some Techniques and Details of the Threat Group

1. Process that Starting with cPanel Access Violations

Discovered in early 2023. It targeted a web hosting platform used by organisations worldwide. When evaluated in a wide range, different orientations may have enabled this breach. Unauthorised access may have been enabled by exploiting 0-Days not reflected in security updates.

It was detected that a legitimate and authorised user was logged on to the platform through the IP range of an identified VPN provider. An SSH session was also opened over the same IP address. Subsequently, a WebMail session was also created using this account. Some time after the start of the operation, it was detected that another connection was accepted via the cPanel Web Disk feature. With this detection, we can see that the actor persistently utilised cPanel features during the operation.

Shortly after the related detections, it was observed that an Adminer tool was installed in the public directory of one of the cPanel accounts obtained for the purpose of MySQL management. It was determined that the same “Adminer” tool was also stored in the public Github repo, which was suspected to belong to the group hosting the SnappyTCP source code, which will be discussed shortly. A new cPanel account breach was detected a few weeks after the detected cPanel Web Disk connection, when a new cPanel account was logged into cPanel. In the same way, it was seen that a WebMail session was opened afterwards.

2. Activities over Secure Protocols to Avoid Tracking

We mentioned that SSH sessions are opened with the breached authorised users. If we talk about the most important advantages of this in the activity:

  • Providing a secure protocol infrastructure for Lateral Movement actions. It provides a secure protocol support for data communication after login. With the authorisation obtained, it allows silent lateral movement on the network.
  • It has been used for facilities such as persistence in the network by enabling authorisation upgrades. The channels used through SSH played an important role in data leakage activities in operations.
  • Activities could be diversified simultaneously by creating authorised SSH keys or using existing ones.

Following the accesses achieved by this APT group via cPanel, it was determined that they provided their first access in the IT environment via the relevant SSHs.

3. Activities through Backdoor Communication Channels

  • Backdoor activities were performed with SnappyTCP tool. It started by downloading the source code of this tool from the server with the address “193.34.167[.]245”. With the execution of the tool, an HTTP request is initiated with a URI containing “sy.php”. Backdoor activity is initiated with a verification mechanism through the request.
  • “X-Auth-43245-S-20” is expected in the header in the packet returned after the HTTP GET request. In addition, the packet size and the first character “@” are checked. Reverse shell access is provided with the IP/Port information returned from the server. If this process fails, the procedure is repeated after some sleep.
  • It is thought that the command and control (C&C) environment is configured in “socat” format. The command configuration in the traffic is characteristic of socat and is hosted on the same server (“.245/c00n/socat”). It was observed that requests made to the servers of the Sea Turtle group with “hxxp[//]193.34.167[.]245/c00n/socat” were mostly answered as “@8.8.8[.]8:443”.

Identification for Sea Turtle

Associations Teal Kurma, Marbled Dust, SILICON, Cosmic Wolf
Targets Goverments, Terrorist Groups, Telecommunication, IT Providers, ISPs, Media & Entertainment Organisations, NGOs
Geo Locations Europe, Middle East, North Africa
Actions MiTM to harvest credentials for initial accessing, Valid encryption certificate theft, Redirecting legal website user traffic
Information Gathering Reverse shell was utilized to obtain and export sensitive data.
Motivation Activities are believed to have been conducted in government and media outlets for the purpose of gathering political and economic intelligence.

TTPs

Tactic Technique Findings
Resource development T1588.001 Sea Turtle used the SnappyTCP malware, the source of which is available on GitHub.
Initial access T1133 T1078.004 Sea Turtle compromised cPanel accounts and used SSH to gain access to the IT infrastructure. 
Execution T1059.004 Sea Turtle used the Bash Unix shell to execute malicious commands and the SnappyTCP malware.
Persistence  T1505.003 Sea Turtle executed SnappyTCP using the tool NoHup, which keeps the malware running on a system after exiting the shell or terminal, and installed Adminer in the public web directory of  a cPanel account.
Defense Evasion  T1070.003 T1070.002 Sea Turtle has reset the command (bash) and MySQL history file and overwritten Linux system logs.
Collection T1114.001 Sea Turtle created a copy of the email archive of a compromised cPanel account in the public web directory of a website accessible from the internet.
Command and Control T1071.001 T1095 Sea Turtle configured SnappyTCP to establish a command and control channel to the domain name forward.boord[.]info on port 443 using TCP and HTTP protocols.
Exfiltration T1567 Sea Turtle created a copy of the email archive of a compromised cPanel account in the public web directory of a website accessible from the Internet. It is highly likely that Sea Turtle exfiltrated the email archive by downloading the file from the website.

Indicators of Compromises

IoC Type
aea947f06ac36c07ae37884abc5b6659d91d52aa99fd7d26bd0e233fd0fe7ad4 SHA-256
ae89540cdfb11b0c9ebda8cfdf8f5e27ba8b729c46abc395a0e1e8bb99b00c54 SHA-256
fb02a6ca9d4f80ba9832ca22eec4d58233929ad952805030fd9da276714dabca SHA-256
d0a7d18e283f80d456ab57fe4d986ef1f020f9c3293ae640b7d8976a694c1757 SHA-256
984f3e8af0c59cfa918319e3b813d75be4277a9765201bd14a9be9ee6b008d34 SHA-256
86b13a1058dd7f41742dfb192252ac9449724c5c0a675c031602bd9f36dd49b5 SHA-256
77a2466a89ed1d83c700d313395c4d10345d6d7f3e1fd294c6eb111b218422a3 SHA-256
6b8a6c28f7a8df5e226ce853230bb667316e2eae136e64edd6e44f5648683f11 SHA-256
67647f0226e29ada304e476d4e9d35b4ac916c584b1768eb5127bd0df1818707 SHA-256
6650c6971d6e7927efad09b215426a442c6342dd22f073972021d8e81a3ba124 SHA-256
47c4e2c71e5caa2e0aeb3ed7a3f0d2c482c6acc19e82bac5d7821aa6ef9e735a SHA-256
405b2c867408f4dc6583109cbc21bac0e78f2f0e6c45013d1c9811a6f0b99a81 SHA-256
3c9e4ba1278b751c24f03ba39cb317b1bc51d2dc5173b0a0b201bc62fdc2c6fd SHA-256
1695a1adb142d4da4830654c72796fc33d1e8ab9af03de85b7d6ef3e959985ab SHA-256
15528410418d246a085044c67f431397d159d64003f13145b68287e7a68e805a SHA-256
29f82ca8b268b1b74e22e05ef85e64cf7cf96751e494a07fe8ef96046e39dc26 SHA-256
293703318fab4ad56124d37e6c93d1aecbce4c656782c40fce5d67f3b4149558 SHA-256
276b1cecbd4ab24bbd47c23558143bdf905440c7045a7ff46a49d80b341c2cd5 SHA-256
30eb5c522a29a1aad4c55cccadcbfd335beed648904f13b25379f23536404803 SHA-256
1ac0b2e91ba3d33ed6b8cd90f5c1f63454bfdf7aad7dbf4f239445f31dfc6eb5 SHA-256
ddcc23f81362bb394e0ee66fda549a1523860b3b SHA1
da64b83c2998212bbf77862e17d3564a0745f222 SHA1
d4ca42e06e5803a5c3bf35c52c0a7b9408356ac3 SHA1
c8d8a7bfe27be6087685495726593d7f6168e94c SHA1
c418180c7233233364bb223a2ba621b167bfb503 SHA1
c17928c00a9dad1a6455eaa490355dd311f6d88f SHA1
bce355f628fcd7aec82a2f33e8af3bd87b6a33d8 SHA1
ae78ba9e5dad29ac910996a0c5d34684cedfe3f7 SHA1
9c3f19a8a0824fc9745b5b8dd86f660a1e186d52 SHA1
922bab717a9b21dc3510ba96e0c3e4a93296e934 SHA1
87f4775c29b47617c0fefa984bb342a79c0ba02d SHA1
700d2c7e00df8249e61ccda1fcf6f1f235dc6d23 SHA1
826fe3ed0a75f5c7f093451e11588d07ff90ac81 SHA1
7f8ed51d632738e3523a94ba5f94b997e922e9fe SHA1
450431fd6561ea4cbb853762163f7a1544d562b8 SHA1
3a5fe689d7f0ee374b1ef0b9227aecae56925e84 SHA1
6557106402d71958aac007940a6cdd934e0b2336 SHA1
6487e320b6294669604a61866b29ce78c3f34e69 SHA1
600a3f64a619db97457231b2e654d5b4a794d2f8 SHA1
f1a4abd70f8e56711863f9e7ed0a4a865267ec7 SHA1
514e02418468dfcad702b0e0be22fb8f9a5366bc SHA1
d036adb864e46ad88dd2c1dbca62137a MD5
c7e99654250bf4e3286c3ea7547a62fe MD5
9ac96799b2b7a376c7a7fc3c76322556 MD5
9a56d56aa24ccc75ef5709747ec5ca8b MD5
bb7cd2dc1dd3bcd6932a6e75a1c95afe MD5
f17985bdc165388476dd228eb927d632 MD5
e69541dd97e4d4abfa33d5d4907412c6 MD5
e3e4b90f9ebe829ab323e68139becf0c MD5
d2a8ec0f0c4f2f015830788cec54c67f MD5
4b8ac8f2d517cd9836a2578cae47fe8d MD5
6f20fdd1fd6c133ef575bd36437578cf MD5
2352627014f80918dde97aad963c5cf2 MD5
2a684c83401ec4706f81bf4a3503e096 MD5
19021c37d8adda5fa509dd242629cd50 MD5
122b56b4474f93d496dee79d939c58f4 MD5
102d8524f21d1b6b0380c817a435e9a7 MD5
8e08c7c440bf9f5380dd614238fa2d38 MD5
80aa20453ca295467bff3f8708a06280 MD5
7d0d50de5aa34f7a0e8cffe06f50a5fb MD5
8640f22e5a859ea2216d0e9dacef4f50 MD5
185.158.248[.]8 ip
108.61.103[.]186 ip
87.120.254[.]120 ip
206.166.251[.]163 ip
88.119.171[.]248 ip
31.13.195[.]52 ip
168.100.8[.]245 ip
31.214.157[.]230 ip
168.100.9[.]203 ip
45.80.148[.]172 ip
eth0[.]secrsys[.]net domain
168.100.10[.]187 ip
hxxp://108.61.103[.]186/sy.php url
93.115.22[.]212 ip
199.247.29[.]25 ip
hxxp://lo0[.]systemctl[.]network/sy.php url
95.179.176[.]250 ip
al-marsad[.]co domain
alhurra[.]online domain
lo0[.]systemctl[.]network domain
146.190.28[.]83 ip
anfturkce[.]news domain
nmcbcd[.]live domain
aws[.]systemctl[.]network domain
querryfiles[.].com domain
systemctl[.]network domain
dhcp[.]systemctl[.]network domain
ud[.]ybcd[.]tech domain
upt[.]mcsoft[.]org domain
ybcd[.]tech domain
exp-al-marsad[.]co domain
93.123.12[.]151 ip

Source: https://cyberthint.io/sea-turtle-apt-group-analysis/