Turkish espionage campaigns in the Netherlands

Sea Turtle is a Turkey-based APT focused on espionage and information theft against European and Middle Eastern targets, including government, NGOs, telecoms, IT services, and Kurdish groups; their operations have evolved to evade detection and involve reverse-shell tools and supply-chain-like techniques. This report details Sea Turtle campaigns in the Netherlands, including their use of SnappyTCP/Linus shells, cPanel compromises, and C2 infrastructure, with indicators and mitigation recommendations. #SeaTurtle #SnappyTCP #NoHup #cPanel #GitHub #PKK #Turkey #HuntAndHackett

Keypoints

Sea Turtle (aka SILICON/Teal Kurma) is a Turkey-aligned APT focused on intelligence gathering and information theft for strategic Turkish interests.
Campaigns target Europe, the Middle East, and specifically telecoms, ISPs, IT services, NGOs, and Kurdish/political groups (e.g., PKK).
Modus operandi includes intercepting traffic, redirecting users, obtaining valid encryption certificates, and conducting man-in-the-middle activity to gain initial access.
Public tooling and code: SnappyTCP reverse-shell tool with source code published on GitHub; NoHup used to keep persistence; Adminer installed for MySQL access.
Dutch campaigns show cPanel compromises, SSH logins, and WebMail activity, with IT infrastructure access and data exfiltration (including email archives).
MITRE-aligned technique set includes initial access via compromised credentials, C2 over HTTP/TCP, defense evasion (log clearing), and data collection/exfiltration, with several IOCs documented.

MITRE Techniques

[T1588.001] Resource Development – Sea Turtle used the malware SnappyTCP from which the source code is available on GitHub. “Sea Turtle used the malware SnappyTCP from which the source code is available on GitHub.”
[T1059.004] Execution – The Unix shell Bash was used to execute malicious commands and the malware SnappyTCP. “Sea Turtle used the Unix shell Bash to execute malicious commands and the malware SnappyTCP.”
[T1114.001] Collection – Email archives were copied from a compromised cPanel account for exfiltration. “ea Turtle created a copy of the e-mail archive of a compromised cPanel account in the public web directory of a website that was accessible from the internet.”
[T1070.003] Defense Evasion – History and logs were cleared to hide activity. “unsets the command (Bash) and MySQL history file and has overwritten Linux system logs.”
[T1071.001] Web Protocols – C2 channel established over HTTP/TCP to a domain; domain and port are configured for C2. “The C2 channel is setup with… domain name forward.boord[.]info on port 443 using the protocols TCP and HTTP.”
[T1095] Non-Application Layer Protocol – C2 communication leveraging a Socat-based channel. “The command-and-control (C&C) channel is setup with what Hunt & Hackett believes is a form of Socat… Socat shares the same commandline characteristics.”
[T1133] External Remote Services – Initial access via compromised cPanel accounts and SSH. “compromised cPanel accounts and used SSH to get into the IT-infrastructure.”
[T1078.004] Valid Accounts – SSH-based logon as a valid credential abuse method. “SSH logon from that same IP-address.”
[T1114.001] Collection (additional note) – Email archive exfiltration corroborated by SSH/WebDisk activity and Adminer deployment.

Indicators of Compromise

[IP Address] 82.102.19.88 – VPN-based logon to a cPanel account (M247 Europe SRL, Belgium).
[IP Address] 62.115.255.163 – VPN-based logon to a cPanel account (Arelion, Denmark).
[IP Address] 193.34.167.245 – VPN logon to a cPanel account and download of SnappyTCP; Snel.com, Netherlands.
[Domain] forward.boord.info – C2 domain used to establish a channel.
[SHA-1] f1a4abd70f8e56711863f9e7ed0a4a865267ec7 – Modified Socat tool used to set up C2.
[IP Address] 93.115.22.212 – C2 host; response flows to @8.8.8.8:443 in the C2 table.
[IP Address] 95.179.176.250 – C2-related IP; response to sy.php in the C2 table.
[Filename] lo0.systemctl.network – File name observed within the collection of indicators related to the attack.