Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Sea Turtle

Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.(Citation: Talos Sea Turtle 2019)(Citation: Talos Sea Turtle 2019_2)(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)

ID: G1041

Associated Groups: SILICON, Teal Kurma, Marbled Dust, Cosmic Wolf

Created: 20 Nov 2024

Last Modified: 28 Mar 2025

Name	Description
Associated Group Descriptions
SILICON	(Citation: Microsoft Digital Defense 2021)(Citation: Hunt Sea Turtle 2024)
Teal Kurma	(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)
Marbled Dust	(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)
Cosmic Wolf	(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1583	.001	Acquire Infrastructure: Domains	Sea Turtle registered domains for authoritative name servers used in DNS hijacking activity and for command and control servers.(Citation: Talos Sea Turtle 2019_2)(Citation: Hunt Sea Turtle 2024)
		.002	Acquire Infrastructure: DNS Server	Sea Turtle built adversary-in-the-middle DNS servers to impersonate legitimate services that were later used to capture credentials.(Citation: Talos Sea Turtle 2019_2)(Citation: Talos Sea Turtle 2019)
		.003	Acquire Infrastructure: Virtual Private Server	Sea Turtle created adversary-in-the-middle servers to impersonate legitimate services and enable credential capture.(Citation: Talos Sea Turtle 2019)
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Sea Turtle connected over TCP using HTTP to establish command and control channels.(Citation: Hunt Sea Turtle 2024)
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	Sea Turtle used the tar utility to create a local archive of email data on a victim system.(Citation: Hunt Sea Turtle 2024)
Enterprise	T1059	.004	Command and Scripting Interpreter: Unix Shell	Sea Turtle used shell scripts for post-exploitation execution in victim environments.(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)
Enterprise	T1584	.002	Compromise Infrastructure: DNS Server	Sea Turtle modified Name Server (NS) items to refer to Sea Turtle-controlled DNS servers to provide responses for all DNS lookups.(Citation: Talos Sea Turtle 2019)(Citation: Talos Sea Turtle 2019_2)
Enterprise	T1074	.002	Data Staged: Remote Data Staging	Sea Turtle staged collected email archives in the public web directory of a website that was accessible from the internet.(Citation: Hunt Sea Turtle 2024)
Enterprise	T1114	.001	Email Collection: Local Email Collection	Sea Turtle collected email archives from victim environments.(Citation: Hunt Sea Turtle 2024)
Enterprise	T1564	.011	Hide Artifacts: Ignore Process Interrupts	Sea Turtle executed SnappyTCP using the tool NoHup, which keeps the malware running on a system after exiting the shell or terminal.(Citation: Hunt Sea Turtle 2024)
Enterprise	T1562	.003	Impair Defenses: Impair Command History Logging	Sea Turtle unset the Bash and MySQL history files on victim systems.(Citation: Hunt Sea Turtle 2024)
Enterprise	T1070	.002	Indicator Removal: Clear Linux or Mac System Logs	Sea Turtle has overwritten Linux system logs and unsets the Bash history file (effectively removing logging) during intrusions.(Citation: Hunt Sea Turtle 2024)
Enterprise	T1027	.004	Obfuscated Files or Information: Compile After Delivery	Sea Turtle downloaded source code files from remote addresses then compiled them locally via GCC in victim environments.(Citation: Hunt Sea Turtle 2024)
Enterprise	T1588	.002	Obtain Capabilities: Tool	Sea Turtle has used tools such as Adminer during intrusions.(Citation: Hunt Sea Turtle 2024)
		.004	Obtain Capabilities: Digital Certificates	Sea Turtle created new certificates using a technique called the actors performed "certificate impersonation," a technique in which Sea Turtle obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization.(Citation: Talos Sea Turtle 2019)(Citation: Talos Sea Turtle 2019_2)
Enterprise	T1505	.003	Server Software Component: Web Shell	Sea Turtle deployed the SnappyTCP web shell during intrusion operations.(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)
Enterprise	T1608	.003	Stage Capabilities: Install Digital Certificate	Sea Turtle captured legitimate SSL certificates from victim organizations and installed these on Sea Turtle-controlled infrastructure to enable subsequent adversary-in-the-middle operations.(Citation: Talos Sea Turtle 2019)
Enterprise	T1078	.003	Valid Accounts: Local Accounts	Sea Turtle compromised cPanel accounts in victim environments.(Citation: Hunt Sea Turtle 2024)

ID	Name	References	Techniques
Software
S1163	SnappyTCP	(Citation: PWC Sea Turtle 2023)	Unix Shell, Web Protocols, Asymmetric Cryptography, Web Shell, Non-Application Layer Protocol

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Sea Turtle

Associated Group Descriptions

Techniques Used

Software

References