← All Threat Actors
Threat Actor Profile

Sea Turtle

COSMIC WOLF G1041 Marbled Dust SILICON Teal Kurma UNC1326
▲ High Threat
This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.
Origin Turkey

Known TTPs

Acquire Infrastructure
Remote Data Staging
Local Email Collection
DNS Server
Install Digital Certificate
Prevent Command History Logging
DNS Server
Virtual Private Server
Digital Certificates
Archive via Utility
Ignore Process Interrupts
Tool
Exploit Public-Facing Application
Local Accounts
Exploitation for Client Execution
Phishing
External Remote Services
Databases
Domains
Compile After Delivery
Clear Linux or Mac System Logs
Unix Shell
Web Shell
Valid Accounts
Web Protocols
Trusted Relationship
Adversary-in-the-Middle

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD