← threatfilter.dev / all groups / Sea Turtle
Sea Turtle
Also known as: Teal Kurma · Marbled Dust · Cosmic Wolf · SILICON
Overview
Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.
Regions
Germany
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190, T1203
TTPs — 27 techniques across 9 tactics
Resource Development
-
T1583Acquire Infrastructure -
T1583.001Domains -
T1583.002DNS Server -
T1583.003Virtual Private Server -
T1584.002DNS Server -
T1588.002Tool -
T1588.004Digital Certificates -
T1608.003Install Digital Certificate
Initial Access
-
T1190Exploit Public-Facing Application -
T1199Trusted Relationship -
T1566Phishing
Execution
-
T1059.004Unix Shell -
T1203Exploitation for Client Execution
Persistence
-
T1133External Remote Services -
T1505.003Web Shell
Stealth
-
T1027.004Compile After Delivery -
T1078Valid Accounts -
T1078.003Local Accounts -
T1564.011Ignore Process Interrupts
Defense Impairment
-
T1685.006Clear Linux or Mac System Logs -
T1690Prevent Command History Logging
Credential Access
-
T1557Adversary-in-the-Middle
Collection
-
T1074.002Remote Data Staging -
T1114.001Local Email Collection -
T1213.006Databases -
T1560.001Archive via Utility
Command and Control
-
T1071.001Web Protocols
Tools & malware (1)
SnappyTCP
Reporting (3)
- Turkish espionage campaigns in the Netherlands — Hunt & Hackett Research Team
- The Tortoise and The Malware — PwC Threat Intelligence
- Microsoft Digital Defense Report — Microsoft