海龟网络间谍活动：针对荷兰的IT和电信公司

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the Netherlands have been targeted as part of a new cyber espionage campaign undertaken by a Türkiye-nexus threat actor known as Sea Turtle.

电信，媒体，互联网服务提供商（ISP），信息技术（IT）服务提供商和荷兰的库尔德网站已成为一个由土耳其威胁行为者Sea Turtle发起的新网络间谍活动的目标。

"The infrastructure of the targets was susceptible to supply chain and island-hopping attacks, which the attack group used to collect politically motivated information such as personal information on minority groups and potential political dissents," Dutch security firm Hunt & Hackett said in a Friday analysis.

荷兰安全公司Hunt & Hackett在周五的分析中表示：“目标的基础设施容易受到供应链和岛屿跳跃攻击的影响，攻击组织利用这一点收集政治动机信息，如少数群体和可能的政治异见者的个人信息。”

"The stolen information is likely to be exploited for surveillance or intelligence gathering on specific groups and or individuals."

“被盗取的信息很可能被用于对特定群体或个人进行监视或情报收集。”

Sea Turtle, also known by the names Cosmic Wolf, Marbled Dust (formerly Silicon), Teal Kurma, and UNC1326, was first documented by Cisco Talos in April 2019, detailing state-sponsored attacks targeting public and private entities in the Middle East and North Africa.

Sea Turtle，也被称为Cosmic Wolf，Marbled Dust（原名Silicon），Teal Kurma和UNC1326，于2019年4月首次被思科Talos记录，并详细描述了针对中东和北非的公共和私人实体的国家支持的攻击。

Activities associated with the group are believed to have been ongoing since January 2017, primarily leveraging DNS hijacking to redirect prospective targets attempting to query a specific domain to an actor-controlled server capable of harvesting their credentials.

与该组织相关的活动被认为自2017年1月以来一直在进行，主要利用DNS劫持来重定向试图查询特定域名的潜在目标，将其重定向到一个可收集其凭据的由操作者控制的服务器。

"The Sea Turtle campaign almost certainly poses a more severe threat than DNSpionage given the actor's methodology in targeting various DNS registrars and registries," Talos said at the time.

“与DNSpionage相比，Sea Turtle活动几乎肯定构成了比较严重的威胁，因为该行动者在针对各种DNS注册商和注册表时的方法。”

In late 2021, Microsoft noted that the adversary carries out intelligence collection to meet strategic Turkish interests from countries like Armenia, Cyprus, Greece, Iraq, and Syria, striking telecom and IT companies with an aim to "establish a foothold upstream of their desired target" via exploitation of known vulnerabilities.

2021年底，微软指出，该对手进行情报收集以满足土耳其在亚美尼亚，塞浦路斯，希腊，伊拉克和叙利亚等国家的战略利益，在打击电信和IT公司，以通过已知漏洞的利用“在所需目标的上游建立立足点”。

Then last month, the adversary was revealed to be using a simple reverse TCP shell for Linux (and Unix) systems called SnappyTCP in attacks carried out between 2021 and 2023, according to the PricewaterhouseCoopers (PwC) Threat Intelligence team.

然后，在2021年至2023年间的攻击中，该对手被发现正在使用一种简单的Linux（和Unix）系统的反向TCP shell，称为SnappyTCP，根据普华永道的威胁情报团队。

"The web shell is a simple reverse TCP shell for Linux/Unix that has basic [command-and-control] capabilities, and is also likely used for establishing persistence," the company said. "There are at least two main variants; one which uses OpenSSL to create a secure connection over TLS, while the other omits this capability and sends requests in cleartext."

该公司表示：“该Web shell是一个简单的Linux/Unix的反向TCP shell，具有基本的[命令和控制]功能，还可能用于建立持久性。至少有两个主要变种；一个使用OpenSSL在TLS上创建安全连接，而另一个则省略了此功能，并以明文形式发送请求。”

The latest findings from Hunt & Hackett show that Sea Turtle continues to be a stealthy espionage-focused group, performing defense evasion techniques to fly under the radar and harvest email archives.

来自Hunt & Hackett的最新发现表明，Sea Turtle继续成为一个隐秘的以间谍为焦点的组织，执行防御规避技术，以不引起注意并收集电子邮件档案。

In one of the attacks observed in 2023, a compromised-but-legitimate cPanel account was used as an initial access vector to deploy SnappyTCP on the system. It's currently not known how the attackers obtained the credentials.

在观察到的2023年的一次攻击中，一个受损但合法的cPanel帐户被用作首次访问向量，以在系统上部署SnappyTCP。目前尚不清楚攻击者如何获得凭据。

"Using SnappyTCP, the threat actor sent commands to the system to create a copy of an email archive created with the tool tar, in the public web directory of the website that was accessible from the internet," the firm noted.

该公司指出：“使用SnappyTCP，威胁行为者向系统发送命令，以在公共网站目录中创建一个使用tar工具创建的电子邮件档案的副本，该目录可以从互联网访问。”

"It is highly likely that the threat actor exfiltrated the email archive by downloading the file directly from the web directory."

“很可能威胁行为者通过直接从网页目录下载文件来窃取电子邮件文档。”

To mitigate the risks posed by such attacks, it's advised that organizations enforce strong password policies, implement two-factor authentication (2FA), rate limit login attempts to reduce the chances of brute-force attempts, monitor SSH traffic, and keep all systems and software up-to-date.

为了减轻这类攻击带来的风险，建议组织实施强密码策略，实施双因素认证（2FA），限制登录尝试次数以减少暴力攻击的机会，监控SSH流量，并保持所有系统和软件更新。

原文始发于微信公众号（知机安全）：海龟网络间谍活动：针对荷兰的IT和电信公司