Sea Turtle | APT Profile

Description

[Sea Turtle](https://attack.mitre.org/groups/G1041) is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. [Sea Turtle](https://attack.mitre.org/groups/G1041) is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling [Sea Turtle](https://attack.mitre.org/groups/G1041) to spoof log in portals and other applications for credential collection.(Citation: Talos Sea Turtle 2019)(Citation: Talos Sea Turtle 2019_2)(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)

Techniques Used (TTPs)

T1583 — Acquire Infrastructure (resource-development)
T1074.002 — Remote Data Staging (collection)
T1070.002 — Clear Linux or Mac System Logs (defense-evasion)
T1562.003 — Impair Command History Logging (defense-evasion)
T1114.001 — Local Email Collection (collection)
T1583.002 — DNS Server (resource-development)
T1608.003 — Install Digital Certificate (resource-development)
T1584.002 — DNS Server (resource-development)
T1583.003 — Virtual Private Server (resource-development)
T1588.004 — Digital Certificates (resource-development)
T1560.001 — Archive via Utility (collection)
T1564.011 — Ignore Process Interrupts (defense-evasion)
T1588.002 — Tool (resource-development)
T1190 — Exploit Public-Facing Application (initial-access)
T1078.003 — Local Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1203 — Exploitation for Client Execution (execution)
T1566 — Phishing (initial-access)
T1133 — External Remote Services (persistence, initial-access)
T1213 — Data from Information Repositories (collection)
T1583.001 — Domains (resource-development)
T1027.004 — Compile After Delivery (defense-evasion)
T1059.004 — Unix Shell (execution)
T1505.003 — Web Shell (persistence)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1071.001 — Web Protocols (command-and-control)
T1199 — Trusted Relationship (initial-access)
T1557 — Adversary-in-the-Middle (credential-access, collection)

Total TTPs: 27

Malware & Tools

Malware: SnappyTCP

← Return to Home ← Back to APT Search