The notorious Turkish cyber espionage group Sea Turtle has ramped up covert operations against Kurdish groups in Europe, the Middle East and North Africa. Online infiltration spans media, telecommunications, and IT sectors, particularly targeting entities linked to the Kurdistan Workers’ Party (PKK), according to Dutch cybercrime prevention team Hunt & Hackett.
Sea Turtle began to intensify attacks three years ago, though operations have been ongoing since 2017. The resurgence underscores a heightened phase of Turkish state-affiliated cyber espionage.
Sea Turtle hacks websites and internal networks, to monitor traffic and access protected information belonging to Kurdish community groups and political movements. Opting for anonymity, an analyst from Hunt & Hackett emphasised that the covert operations were strategically vital to the Turkish government for tracking dissidents in Europe.
The cyber espionage landscape in Turkey, with ten known Advanced Persistent Threat (APT) groups, often escapes global attention. Turkey’s sophisticated APTs, primarily centred on long term political surveillance, remain less visible compared to the high-profile cybercrime operations coming out of North Korea and China.
Sea Turtle first made headlines in 2019 for compromising over 40 organisations across 13 countries, predominantly in the Middle East and Africa. Its signature technique involves DNS hijacking, redirecting internet traffic to infiltrate target networks. Despite a period of relative obscurity, the group’s recent actions indicate a persistent, albeit largely unchanged, modus operandi.
The group’s approach, incorporating basic security measures such as erasing Linux system logs, lacks sophistication. Notably, many of their tools were hosted on a now-removed public GitHub account. Nevertheless, these efforts successfully extracted sensitive information, including a complete email archive from an entity closely associated with the Kurdish political movement.
A separate group of hackers from Turkey, codenamed RE#TURGENCE, recently broke into password protected servers across the US, Europe, and Latin America, according to cybersecurity news site Dark Reading. Once inside, they can access sensitive information and also mimic malicious software for financial gain, demanding payloads to unlock the server’s data.