Sea Turtle
Associated Group Descriptions |
|
Name | Description |
---|---|
SILICON | (Citation: Microsoft Digital Defense 2021)(Citation: Hunt Sea Turtle 2024) |
Teal Kurma | (Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024) |
Marbled Dust | (Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024) |
Cosmic Wolf | (Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Sea Turtle registered domains for authoritative name servers used in DNS hijacking activity and for command and control servers.(Citation: Talos Sea Turtle 2019_2)(Citation: Hunt Sea Turtle 2024) |
.002 | Acquire Infrastructure: DNS Server |
Sea Turtle built adversary-in-the-middle DNS servers to impersonate legitimate services that were later used to capture credentials.(Citation: Talos Sea Turtle 2019_2)(Citation: Talos Sea Turtle 2019) |
||
.003 | Acquire Infrastructure: Virtual Private Server |
Sea Turtle created adversary-in-the-middle servers to impersonate legitimate services and enable credential capture.(Citation: Talos Sea Turtle 2019) |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Sea Turtle connected over TCP using HTTP to establish command and control channels.(Citation: Hunt Sea Turtle 2024) |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Sea Turtle used the tar utility to create a local archive of email data on a victim system.(Citation: Hunt Sea Turtle 2024) |
Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
Sea Turtle used shell scripts for post-exploitation execution in victim environments.(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024) |
Enterprise | T1584 | .002 | Compromise Infrastructure: DNS Server |
Sea Turtle modified Name Server (NS) items to refer to Sea Turtle-controlled DNS servers to provide responses for all DNS lookups.(Citation: Talos Sea Turtle 2019)(Citation: Talos Sea Turtle 2019_2) |
Enterprise | T1074 | .002 | Data Staged: Remote Data Staging |
Sea Turtle staged collected email archives in the public web directory of a website that was accessible from the internet.(Citation: Hunt Sea Turtle 2024) |
Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
Sea Turtle collected email archives from victim environments.(Citation: Hunt Sea Turtle 2024) |
Enterprise | T1564 | .011 | Hide Artifacts: Ignore Process Interrupts |
Sea Turtle executed SnappyTCP using the tool NoHup, which keeps the malware running on a system after exiting the shell or terminal.(Citation: Hunt Sea Turtle 2024) |
Enterprise | T1562 | .003 | Impair Defenses: Impair Command History Logging |
Sea Turtle unset the Bash and MySQL history files on victim systems.(Citation: Hunt Sea Turtle 2024) |
Enterprise | T1070 | .002 | Indicator Removal: Clear Linux or Mac System Logs |
Sea Turtle has overwritten Linux system logs and unsets the Bash history file (effectively removing logging) during intrusions.(Citation: Hunt Sea Turtle 2024) |
Enterprise | T1027 | .004 | Obfuscated Files or Information: Compile After Delivery |
Sea Turtle downloaded source code files from remote addresses then compiled them locally via GCC in victim environments.(Citation: Hunt Sea Turtle 2024) |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Sea Turtle has used tools such as Adminer during intrusions.(Citation: Hunt Sea Turtle 2024) |
.004 | Obtain Capabilities: Digital Certificates |
Sea Turtle created new certificates using a technique called the actors performed "certificate impersonation," a technique in which Sea Turtle obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization.(Citation: Talos Sea Turtle 2019)(Citation: Talos Sea Turtle 2019_2) |
||
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Sea Turtle deployed the SnappyTCP web shell during intrusion operations.(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024) |
Enterprise | T1608 | .003 | Stage Capabilities: Install Digital Certificate |
Sea Turtle captured legitimate SSL certificates from victim organizations and installed these on Sea Turtle-controlled infrastructure to enable subsequent adversary-in-the-middle operations.(Citation: Talos Sea Turtle 2019) |
Enterprise | T1078 | .003 | Valid Accounts: Local Accounts |
Sea Turtle compromised cPanel accounts in victim environments.(Citation: Hunt Sea Turtle 2024) |
Software |
|||
ID | Name | References | Techniques |
---|---|---|---|
S1163 | SnappyTCP | (Citation: PWC Sea Turtle 2023) | Unix Shell, Web Protocols, Asymmetric Cryptography, Web Shell, Non-Application Layer Protocol |
References
- Cisco Talos. (2019, April 17). Sea Turtle: DNS Hijacking Abuses Trust In Core Internet Service. Retrieved November 20, 2024.
- Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024.
- Microsoft. (2021, October). Microsoft Digital Defense Report. Retrieved November 20, 2024.
- Paul Rascagneres. (2019, July 9). Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques. Retrieved November 20, 2024.
- PwC Threat Intelligence. (2023, December 5). The Tortoise and The Malware. Retrieved November 20, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.