Delaware, USA – April 18, 2019 – Sea Turtle cyberespionage campaign lasts for more than 2 years targeting military organizations, energy companies, and government entities in North Africa and the Middle East. Several APT groups actively carry out their operations in this region (1, 2, 3), and Cisco Talos published details about the new operation in their blog. The unknown APT group leverages DNS hijacking to collect credentials of users from organizations of their interest, and then use the collected data to penetrate the internal network and maintain long term persistence. At least 40 organizations in 13 countries were compromised during the Sea Turtle campaign. To perform DNS hijacking, adversaries first attack internet service providers, telecommunications companies, and domain registrars, which provide services to their primary targets. In these attacks, they use spear phishing and a list of known vulnerabilities for gaining persistence and lateral movement. After changing DNS records, adversaries set up MitM framework using certificate impersonation technique to not arise suspicion in the attacked organization.
When a service company discovers a security breach, as was the case with Netnode at the beginning of this year, the group reduces its activity in a targeted country. In January, US-CERT issued an alert associated with the Sea Turtle campaign, and the current Cisco Talos report shows a significant interruption in operations after this publication until resuming in March. The campaign continues and in order to protect your organization against sophisticated attacks and timely detect infiltration of state-sponsored groups with existing security tools, you can use APT Framework rule pack, which detects signs of attacks using the methodology of Lockheed Martin Cyber Kill Chain: https://my.socprime.com/en/integrations/apt-framework-arcsight